Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change dump_aka to dump_notes and add field for related modules #11769

Merged
merged 9 commits into from
Apr 24, 2019
Merged

Change dump_aka to dump_notes and add field for related modules #11769

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c0e675a
Change dump_aka to dump_notes with special casing
wvu Apr 23, 2019
30b8625
Update Ghostscript/ImageMagick modules
wvu Apr 23, 2019
372ec19
Handle NOCVE and module traits
wvu Apr 24, 2019
00cebda
Fix typo of "reliability" - wow, I suck
wvu Apr 24, 2019
0ad5dca
Revert to RelatedModules and handle Array/Hash
wvu Apr 24, 2019
94994aa
Update modules with RelatedModules and realign
wvu Apr 24, 2019
97545ce
Clarify NOCVE reason for Wemo exploit
wvu Apr 24, 2019
b05c6c7
Rearrange notes in drupal_restws_unserialize
wvu Apr 24, 2019
ce39b92
Remove stray backslash - oops!
wvu Apr 24, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 35 additions & 12 deletions lib/msf/base/serializer/readable_text.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,8 +286,8 @@ def self.dump_exploit_module(mod, indent = '')
# References
output << dump_references(mod, indent)

# AKA
output << dump_aka(mod, indent)
# Notes
output << dump_notes(mod, indent)

return output

Expand Down Expand Up @@ -341,8 +341,8 @@ def self.dump_auxiliary_module(mod, indent = '')
# References
output << dump_references(mod, indent)

# AKA
output << dump_aka(mod, indent)
# Notes
output << dump_notes(mod, indent)

return output
end
Expand Down Expand Up @@ -401,8 +401,8 @@ def self.dump_post_module(mod, indent = '')
# References
output << dump_references(mod, indent)

# AKA
output << dump_aka(mod, indent)
# Notes
output << dump_notes(mod, indent)

return output
end
Expand Down Expand Up @@ -668,19 +668,42 @@ def self.dump_references(mod, indent = '')
output
end

# Dumps the aka names associated with the supplied module.
# Dumps the notes associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_aka(mod, indent = '')
def self.dump_notes(mod, indent = '')
output = ''

if mod.notes['AKA'].present?
output << "AKA:\n"
mod.notes.each do |name, val|
next unless val.present?

case name
when 'AKA'
output << "Also known as:\n"
val.each { |aka| output << "#{indent}#{aka}\n" }
when 'NOCVE'
wvu marked this conversation as resolved.
Show resolved Hide resolved
output << "CVE not available:\n" \
"#{indent}#{val}\n"
when 'RelatedModules'
output << "Related modules:\n"
val.each { |related| output << "#{indent}#{related}\n" }
when 'Stability', 'SideEffects', 'Reliability'
# Handled by dump_traits
next
else
output << "#{name}:\n"

mod.notes['AKA'].each do |aka_name|
output << indent + aka_name + "\n"
case val
when Array
val.each { |v| output << "#{indent}#{v}\n" }
when Hash
val.each { |k, v| output << "#{indent}#{k}: #{v}\n" }
else
# Display the raw note
output << "#{indent}#{val}\n"
end
end

output << "\n"
Expand Down
4 changes: 2 additions & 2 deletions modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,10 @@ def initialize(info = {})
],
'DefaultTarget' => 1,
'Notes' => {
'NOCVE' => 'Patched in 2.00.8643 without vendor disclosure',
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK],
'Reliablity' => [REPEATABLE_SESSION],
'NOCVE' => 'Patched in 2.00.8643'
'Reliability' => [REPEATABLE_SESSION]
}
))

Expand Down
58 changes: 31 additions & 27 deletions modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,52 +16,56 @@ class MetasploitModule < Msf::Exploit

def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Failed Restore Command Execution',
'Description' => %q{
'Name' => 'Ghostscript Failed Restore Command Execution',
'Description' => %q{
This module exploits a -dSAFER bypass in Ghostscript to execute
arbitrary commands by handling a failed restore (grestore) in
PostScript to disable LockSafetyParams and avoid invalidaccess.

This vulnerability is reachable via libraries such as ImageMagick,
and this module provides the latest vector for Ghostscript.

For previous Ghostscript vectors, please see the following modules:
exploit/unix/fileformat/ghostscript_type_confusion
exploit/unix/fileformat/imagemagick_delegate
This vulnerability is reachable via libraries such as ImageMagick.
},
'Author' => [
'Author' => [
'Tavis Ormandy', # Vuln discovery and exploit
'wvu' # Metasploit module
],
'References' => [
'References' => [
['CVE', '2018-16509'],
['URL', 'https://seclists.org/oss-sec/2018/q3/142'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1640']
],
'DisclosureDate' => '2018-08-21',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
'DisclosureDate' => '2018-08-21',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {'Space' => 4089, 'DisableNops' => true} # 4096 total
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'Space' => 4089, # 4096 total
'DisableNops' => true
}
],
['PowerShell (In-Memory)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
],
['Linux (Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
]
],
'DefaultTarget' => 0
'DefaultTarget' => 0,
'Notes' => {
'RelatedModules' => [
'exploit/unix/fileformat/ghostscript_type_confusion',
'exploit/unix/fileformat/imagemagick_delegate'
]
}
))

register_options([
Expand Down
37 changes: 19 additions & 18 deletions modules/exploits/unix/fileformat/ghostscript_type_confusion.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,41 +10,42 @@ class MetasploitModule < Msf::Exploit

def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
'Description' => %q{
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
'Description' => %q{
This module exploits a type confusion vulnerability in Ghostscript that can
be exploited to obtain arbitrary command execution. This vulnerability affects
Ghostscript versions 9.21 and earlier and can be exploited through libraries
such as ImageMagick and Pillow.

For more recent Ghostscript vectors, please see the following modules:
exploit/multi/fileformat/ghostscript_failed_restore
},
'Author' => [
'Author' => [
'Atlassian Security Team', # Vulnerability discovery
'hdm' # Metasploit module
],
'References' => [
'References' => [
%w{CVE 2017-8291},
%w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
%w{URL https://seclists.org/oss-sec/2017/q2/148},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3}
],
'DisclosureDate' => 'Apr 27 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c)(" # ", ', \, (, and )
'DisclosureDate' => 'Apr 27 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c)(" # ", ', \, (, and )
},
'Targets' => [
'Targets' => [
['EPS file', template: 'msf.eps']
],
'DefaultTarget' => 0,
'Notes' => {
'AKA' => [ 'ghostbutt' ]
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ghostbutt'],
'RelatedModules' => [
'exploit/multi/fileformat/ghostscript_failed_restore',
'exploit/unix/fileformat/imagemagick_delegate'
]
}
))

Expand Down
38 changes: 20 additions & 18 deletions modules/exploits/unix/fileformat/imagemagick_delegate.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ class MetasploitModule < Msf::Exploit

def initialize(info = {})
super(update_info(info,
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
'Description' => %q{
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
'Description' => %q{
This module exploits a shell command injection in the way "delegates"
(commands for converting files) are processed in ImageMagick versions
<= 7.0.1-0 and <= 6.9.3-9 (legacy).
Expand All @@ -25,21 +25,17 @@ def initialize(info = {})
Ghostscript versions 9.18 and later are affected. This target is
provided as is and will not be updated to track additional vulns.

For more recent Ghostscript vectors, please see the following modules:
exploit/multi/fileformat/ghostscript_failed_restore
exploit/unix/fileformat/ghostscript_type_confusion

If USE_POPEN is set to true, a |-prefixed command will be used for the
exploit. No delegates are involved in this exploitation.
},
'Author' => [
'Author' => [
'stewie', # Vulnerability discovery
'Nikolay Ermishkin', # Vulnerability discovery
'Tavis Ormandy', # Vulnerability discovery
'wvu', # Metasploit module
'hdm' # Metasploit module
],
'References' => [
'References' => [
%w{CVE 2016-3714},
%w{CVE 2016-7976},
%w{URL https://imagetragick.com/},
Expand All @@ -49,21 +45,27 @@ def initialize(info = {})
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},
%w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}
],
'DisclosureDate' => '2016-05-03',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c" # ", ', and \
'DisclosureDate' => '2016-05-03',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c" # ", ', and \
},
'Targets' => [
'Targets' => [
['SVG file', template: 'msf.svg'], # convert msf.png msf.svg
['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg
['PS file', template: 'msf.ps'] # PoC from taviso
],
'DefaultTarget' => 0,
'Notes' => {'AKA' => ['ImageTragick']}
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ImageTragick'],
'RelatedModules' => [
'exploit/unix/fileformat/ghostscript_type_confusion',
'exploit/multi/fileformat/ghostscript_failed_restore'
]
}
))

register_options([
Expand Down
4 changes: 2 additions & 2 deletions modules/exploits/unix/webapp/drupal_restws_unserialize.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,10 @@ def initialize(info = {})
],
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['SA-CORE-2019-003'],
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliablity' => [UNRELIABLE_SESSION], # When using the GET method
'AKA' => ['SA-CORE-2019-003']
'Reliability' => [UNRELIABLE_SESSION] # When using the GET method
}
))

Expand Down